NTU Computer Security HW3

# NTU Computer Security HW3 ###### tags: `NTU` ## how2know * **core concept: blind sql inject like attack** * security counter measure ![](https://i.imgur.com/98OcWLc.png) * flag address: * get RVA from return address on stack * add offset ```asm mov rax, qword[rsp - 8] add rax, 0x2c64; now rax store "flag"'s addr ``` * payload work flow * bruteforce all the flag's character * if the ```flag[i]``` equals to ```guessed_char``` go to inifty loop * else go to crash(```jmp 0x8787```) ## rop++ * static linked binary * payload workflow * core concept * **read ```/bin/bash``` and ```argv``` structure into ```.bss```**(since no avaible ```/bin/bash``` or ```/bin/sh``` gadget) * **set register and jump to ```syscall``` in ```read``` function to ```execve```** * use ```ROPgadget``` to find suitable gadget ## babyums ### flag1 * **core concept: free password and retrieve it back from tcache** * step 1: allocate new user * step 2: delete admin and let it enter tcache * step 3: retrieve it back by allocate a chunk with 40 bytes(```sizeof(User) == 40```) and fill its user name with 16 bytes * step 4: print out with ```%s``` ### flag2 * step 1: edit 0's chunk with allocatation size that was greater or equal than **0x410** and free it to let in enter **unsorted bin** * note: to **prevent it being merged into top chunk**, we shall allocate 1 chunk to block top chunk before free it * step 2: print out libc address by ```show_users``` and calculate the address to ```system``` and ```__free_hook``` with offset * step 3: retrieve the 0's unsorted bin chunk and edit it with a size that was bigger than that to overwrite 1's data ptr with ```__free_hook```'s address ![](https://i.imgur.com/LYG3mQu.png) * step 4: write ```system``` address to ```__free_hook``` * step 5: allocate aribitary chunk with ```/bin/bash``` and free it then will obtain shell ## miniums * step 1: create chunk in unsorted bin by ```edit_data```-> add a chunk to prevent top chunk merging -> ```del_user``` (that chunk probably used as a buffer for ```_IO_FILE```? idk) * step 2: obtain that chunk back with allocation size greater than ```0x1e0 - 16 + 8```(since there entry of 0x30, 0x1e0 in tcache) and print out to leak libc address * step 3: allocate 2 user and delete firstly allocated one to let its ```FILE``` structure enter tcache * step 4: obtain it back with allocation ```0x1e0 - 16 + 8``` and craft a ```FILE``` structure that will allow user to write content to ```__free_hook``` with ```stdin``` * step 5: enter the payload with ```system``` address and free another chunk with ```/bin/bash``` to obtain shell