Add files via upload

Author: Alvaro

EBCTF 2013/bf

@@ -0,0 +1,4 @@
+#!/usr/bin/rarun2
+program=./bf
+stdin=">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>."
+stdout=

EBCTF 2013/bf.rr2

@@ -0,0 +1,32 @@
+import r2pipe
+
+r = r2pipe.open("./bf")
+r.cmd('e dbg.profile=bf.rr2')
+r.cmd('doo') # initially you are debugging rarun2 
+r.cmd('db 0x08048703')
+r.cmd('dc')
+print r.cmd('drj')
+def step():
+ r.cmd('ds')
+ r.cmd('sr rip')
+while True:
+ disass = []
+ while True:
+ instruction = r.cmdj('pdj 1')[0]
+ if r.cmdj('drj')['eip'] == 0x08048816:
+ hexvalue = r.cmdj('drj')['eax'] #stack memory address for '>'
+ disass.append(r.cmdj('pxj 1 @%s'%hex(hexvalue)))
+ print (chr(27) + "[0;33m" + "[+] Memory address: "+hex(hexvalue)+chr(27) + "[0m")
+ print(r.cmdj('pxj 1 @%s'%hex(hexvalue)))
+ print("Lenght"+str(len(disass))) #Lenght
+ elif r.cmdj('drj')['eip'] == 0x08048864:
+ hexvalue = r.cmdj('drj')['eax'] #stack memory address for '.'
+ disass.append(r.cmdj('pxj 1 @%s'%hex(hexvalue)))
+ print (chr(27) + "[0;33m" + "[+] Memory address: "+hex(hexvalue)+chr(27) + "[0m")
+ print(r.cmdj('pxj 1 @%s'%hex(hexvalue)))
+ print("Lenght"+str(len(disass))) #Lenght
+ elif r.cmdj('drj')['eax'] == 0x080489cb:
+ print(r.cmd('drj')) #Info registers
+ print(r.cmd('px@esp'))
+ step()
+ 

EBCTF 2013/r2_recon.py

@@ -0,0 +1,8 @@
+from pwn import *
+while True:
+ for x in range(1,100):
+ p = remote("192.168.1.86", 1234)
+ p.recvuntil("FOR:")
+ payload = ">"*x+"."+"\n"
+ p.send(payload)
+ print("Try: "+str(x)+"--> "+p.recvline())