PwnCollege - RE - Metadata and Data

Posted on In Views: Disqus:

Metadata and Data (Python)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
def main():
    if len(sys.argv) >= 2:
        path = sys.argv[1]
        assert path.endswith(".cimg"), "ERROR: file has incorrect extension"
        file = open(path, "rb")
    else:
        file = sys.stdin.buffer

    header = file.read1(10)
    assert len(header) == 10, "ERROR: Failed to read header!"

    assert header[:4] == b"CNmG", "ERROR: Invalid magic number!"

    assert int.from_bytes(header[4:6], "little") == 1, "ERROR: Invalid version!"

    width = int.from_bytes(header[6:8], "little")
    assert width == 66, "ERROR: Incorrect width!"

    height = int.from_bytes(header[8:10], "little")
    assert height == 17, "ERROR: Incorrect height!"

    data = file.read1(width * height)
    assert len(data) == width * height, "ERROR: Failed to read data!"

    pixels = [Pixel(character) for character in data]

    with open("/flag", "r") as f:
        flag = f.read()
        print(flag)


if __name__ == "__main__":
    try:
        main()
    except AssertionError as e:
        print(e, file=sys.stderr)
        sys.exit(-1)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from pwn import process

header = b"CNmG"
version = 1
width = 66
height = 17
data_length = width * height

file_header = struct.pack("<4sHHH", header,version, width, height)

pixel_data = b"A" * data_length

payload = file_header + pixel_data

file = open("payload.cimg", "wb")
file.write(payload)
file.close()

p = process(["/challenge/cimg", "payload.cimg"], stdin=process.PTY, stdout=process.PTY)
print(p.recvall())

pwn.college{**********************************************}

Metadata and Data (C)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
// ...
int main(int argc, char **argv, char **envp)
{

    struct cimg cimg = { 0 };
    int won = 1;

    if (argc > 1)
    {
        if (strcmp(argv[1]+strlen(argv[1])-5, ".cimg"))
        {
            printf("ERROR: Invalid file extension!");
            exit(-1);
        }
        dup2(open(argv[1], O_RDONLY), 0);
    }

    read_exact(0, &cimg.header, sizeof(cimg.header), "ERROR: Failed to read header!", -1);

    if (cimg.header.magic_number[0] != 'C' || cimg.header.magic_number[1] != 'm' || cimg.header.magic_number[2] != '@' || cimg.header.magic_number[3] != 'g')
    {
        puts("ERROR: Invalid magic number!");
        exit(-1);
    }

    if (cimg.header.version != 1)
    {
        puts("ERROR: Unsupported version!");
        exit(-1);
    }

    if (cimg.header.width != 71)
    {
        puts("ERROR: Incorrect width!");
        exit(-1);
    }

    if (cimg.header.height != 21)
    {
        puts("ERROR: Incorrect height!");
        exit(-1);
    }

    unsigned long data_size = cimg.header.width * cimg.header.height * sizeof(pixel_t);
    pixel_t *data = malloc(data_size);
    if (data == NULL)
    {
        puts("ERROR: Failed to allocate memory for the image data!");
        exit(-1);
    }
    read_exact(0, data, data_size, "ERROR: Failed to read data!", -1);

    if (won) win();
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from pwn import process

header = b"Cm@g"
version = 1
width = 71
height = 21
data_length = width * height

file_header = struct.pack("<4sHBH", header,version, width, height)

pixel_data = b"A" * data_length

payload = file_header + pixel_data

file = open("payload.cimg", "wb")
file.write(payload)
file.close()

p = process(["/challenge/cimg", "payload.cimg"], stdin=process.PTY, stdout=process.PTY)
print(p.recvall())

b’pwn.college{**********************************************}’

Metadata and Data (x86)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# ...
      │     0x004012fc      807c240d5b     cmp byte [rsp + 0xd], 0x5b    ; '['
      │ ┌─< 0x00401301      7515           jne 0x401318
      │ │   0x00401303      807c240e4d     cmp byte [rsp + 0xe], 0x4d    ; 'M'
      │┌──< 0x00401308      750e           jne 0x401318
      │││   0x0040130a      807c240f61     cmp byte [rsp + 0xf], 0x61    ; 'a'
     ┌────< 0x0040130f      7507           jne 0x401318
     ││││   0x00401311      807c241067     cmp byte [rsp + 0x10], 0x67    ; 'g'
    ┌─────< 0x00401316      7414           je 0x40132c
    │└─└└─> 0x00401318      488d3df70d..   lea rdi, str.ERROR:_Invalid_magic_number_    ; 0x402116 ; "ERROR: Invalid magic number!"
   ┌─┌─┌┌─> 0x0040131f      e81cfeffff     call sym.imp.puts           ;[6]
   ╎│╎└───> 0x00401324      83cfff         or edi, 0xffffffff          ; -1
   ╎│╎ ╎╎   0x00401327      e8d4feffff     call sym.imp.exit           ;[7]
   ╎└─────> 0x0040132c      837c241101     cmp dword [rsp + 0x11], 1 # dword -> 4 bytes
   ╎ ╎ ╎╎   0x00401331      488d3dfb0d..   lea rdi, str.ERROR:_Unsupported_version_    ; 0x402133 ; "ERROR: Unsupported version!"
   └──────< 0x00401338      75e5           jne 0x40131f
     ╎ ╎╎   0x0040133a      66837c241544   cmp word [rsp + 0x15], 0x44    ; 'D' word -> 2 bytes
     ╎ ╎╎   0x00401340      488d3d080e..   lea rdi, str.ERROR:_Incorrect_width_    ; 0x40214f ; "ERROR: Incorrect width!"
     └────< 0x00401347      75d6           jne 0x40131f
       ╎╎   0x00401349      807c24170f     cmp byte [rsp + 0x17], 0xf
       ╎╎   0x0040134e      488d3d120e..   lea rdi, str.ERROR:_Incorrect_height_    ; 0x402167 ; "ERROR: Incorrect height!"
       └──< 0x00401355      75c8           jne 0x40131f
        ╎   0x00401357      bffc030000     mov edi, 0x3fc              ; 1020
        ╎   0x0040135c      e85ffeffff     call sym.imp.malloc         ;[8]
        ╎   0x00401361      488d3d180e..   lea rdi, str.ERROR:_Failed_to_allocate_memory_for_the_image_data_    ; 0x402180 ; "ERROR: Failed to all
        ╎   0x00401368      4889c6         mov rsi, rax
        ╎   0x0040136b      4885c0         test rax, rax
        └─< 0x0040136e      74af           je 0x40131f
            0x00401370      4183c8ff       or r8d, 0xffffffff          ; -1
            0x00401374      31ff           xor edi, edi
            0x00401376      bafc030000     mov edx, 0x3fc              ; 1020
            0x0040137b      488d0d330e..   lea rcx, str.ERROR:_Failed_to_read_data_    ; 0x4021b5 ; "ERROR: Failed to read data!"
            0x00401382      e804020000     call sym.read_exact         ;[5]
# ...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from pwn import process

header = b"[Mag"
version = 1
width = 0x44
height = 0xf
data_length = width * height

file_header = struct.pack("<4sIHB", header,version, width, height)

pixel_data = b"A" * data_length

payload = file_header + pixel_data

file = open("payload.cimg", "wb")
file.write(payload)
file.close()

p = process(["/challenge/cimg", "payload.cimg"], stdin=process.PTY, stdout=process.PTY)
print(p.recvall())

b’pwn.college{**********************************************}’