diff --git a/pwnshop/challenges/__init__.py b/pwnshop/challenges/__init__.py index 7e87b7d..ce702d5 100644 --- a/pwnshop/challenges/__init__.py +++ b/pwnshop/challenges/__init__.py @@ -44,6 +44,7 @@ class Challenge: COMPILER = "gcc" PIE = None RELRO = "full" + MASM_FLAG = "-masm=intel" CANARY = None FRAME_POINTER = None STATIC = False @@ -143,7 +144,8 @@ def build_compiler_cmd(self): if self.STRIP: cmd.append("-s") - cmd.append("-masm=intel") + if self.MASM_FLAG: + cmd.append(self.MASM_FLAG) cmd.append("-w") diff --git a/pwnshop/challenges/base/base.c b/pwnshop/challenges/base/base.c index e64871d..85068da 100644 --- a/pwnshop/challenges/base/base.c +++ b/pwnshop/challenges/base/base.c @@ -80,12 +80,12 @@ printf(" Your effective user id is not 0!\n"); printf(" You must directly run the suid binary in order to have the correct permissions!\n"); } - return; + exit(-1); } flag_length = read(flag_fd, flag, sizeof(flag)); if (flag_length <= 0) { printf("\n ERROR: Failed to read the flag -- %s!\n", strerror(errno)); - return; + exit(-1); } {% set stdout = "fileno(thread_stdout)" if challenge.threaded_server else "1"%} write({{ stdout }}, flag, flag_length); diff --git a/pwnshop/challenges/disassemble_rop_aarch64.c b/pwnshop/challenges/disassemble_rop_aarch64.c new file mode 100644 index 0000000..bd2812f --- /dev/null +++ b/pwnshop/challenges/disassemble_rop_aarch64.c @@ -0,0 +1,53 @@ + +#include +#include + +#define CAPSTONE_ARCH CS_ARCH_ARM64 +#define CAPSTONE_MODE CS_MODE_ARM + +void print_gadget(unsigned long *gadget_addr) +{ + csh handle; + cs_insn *insn; + size_t count; + unsigned char vec[64]; + + if (cs_open(CAPSTONE_ARCH, CAPSTONE_MODE, &handle) != CS_ERR_OK) { + printf("ERROR: disassembler failed to initialize.\n"); + return; + } + + printf("| 0x%016lx: ", (unsigned long)gadget_addr); + + int r = mincore((void *) ((uintptr_t)gadget_addr & ~0xfff), 64, vec); + if (r < 0 && errno == ENOMEM) { + printf("(UNMAPPED MEMORY)"); + } + else { + count = cs_disasm(handle, (void *)gadget_addr, 64, (uint64_t)gadget_addr, 0, &insn); + if (count > 0) { + for (size_t j = 0; j < count; j++) { + printf("%s %s ; ", insn[j].mnemonic, insn[j].op_str); + if (strcmp(insn[j].mnemonic, "ret") == 0 || strcmp(insn[j].mnemonic, "blr") == 0) break; + } + + cs_free(insn, count); + } + else { + printf("(DISASSEMBLY ERROR) "); + for (int k = 0; k < 16; k++) printf("%02hhx ", ((uint8_t*)gadget_addr)[k]); + } + } + printf("\n"); + + cs_close(&handle); +} + +void print_chain(unsigned long **chain_addr, int chain_length) +{ + printf("\n+--- Printing %ld gadgets of ROP chain at %p.\n", chain_length, chain_addr); + for (int i = 0; i < chain_length; i++) { + print_gadget(*(chain_addr + i)); + } + printf("\n"); +} diff --git a/pwnshop/challenges/stack_recon_aarch64.c b/pwnshop/challenges/stack_recon_aarch64.c new file mode 100644 index 0000000..dcf0341 --- /dev/null +++ b/pwnshop/challenges/stack_recon_aarch64.c @@ -0,0 +1,27 @@ +uint64_t sp_; +uint64_t bp_; +uint64_t sz_; +uint64_t cp_; +uint64_t cv_; +uint64_t si_; +uint64_t rp_; + +#define GET_SP(sp) asm volatile ("mov %0, SP" : "=r"(sp) : : ); +#define GET_BP(bp) asm volatile ("mov %0, FP" : "=r"(bp) : : ); +#define GET_FRAME_WORDS(sz_, sp, bp, rp_) GET_SP(sp); GET_BP(bp); sz_ = (bp-sp)/8+2; rp_ = bp+0x8; + +void DUMP_STACK(uint64_t sp, uint64_t n) +{ + printf("+---------------------------------+-------------------------+--------------------+\n"); + printf("| %31s | %23s | %18s |\n", "Stack location", "Data (bytes)", "Data (LE int)"); + printf("+---------------------------------+-------------------------+--------------------+\n"); + for (si_ = 0; si_ < n; si_++) { + printf("| 0x%016lx (rsp+0x%04x) | %02x %02x %02x %02x %02x %02x %02x %02x | 0x%016lx |\n", + sp+8*si_, 8*si_, + *(uint8_t *)(sp+8*si_+0), *(uint8_t *)(sp+8*si_+1), *(uint8_t *)(sp+8*si_+2), *(uint8_t *)(sp+8*si_+3), + *(uint8_t *)(sp+8*si_+4), *(uint8_t *)(sp+8*si_+5), *(uint8_t *)(sp+8*si_+6), *(uint8_t *)(sp+8*si_+7), + *(uint64_t *)(sp+8*si_) + ); + } + printf("+---------------------------------+-------------------------+--------------------+\n"); +}