Sheet 5

General Information

All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck.

Please keep in mind that you should:

  • read the task description carefully

  • push all your changes to the GitLab repository (main branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

  • Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (see our blog post for details how to do that).

  • Make sure that the solution is an executable Python 3 script named solution (chmod +x ./solution) with a working shebang line at the top (i.e. #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … – just solution)

  • The final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task.

  • Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

    1
2
3
4
5
6
7
8

    def check_input_length(input_string):
    """
    The input string must have a length greater than 42 and must also be even.
    """
    length = len(input_string)

    # the final check happens here
    return (length > 42) and (length % 2 == 0)

    This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your solution files!

  • Make sure that your solution executes within 10 seconds (this is a hard timeout on our server).

  • You must not use the proc filesystem to “leak” addresses of e.g. libc. This means using process.libc.address without leaking and setting it first yourself is not permitted.

  • Violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is 2023-07-04 23:00:00 UTC

Task 19 – Simple Heap (8 Points, individual Task)

This exercise uses a simple implementation for malloc and free which you can find in simple_heap.c.

Exploit the simple_heap binary to print the flag.

Edit the provided solution template and explain your approach with meaningful comments!

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 20 – Bank Robbery 2.0 (16 Points)

You are now a member of the digital bank robber group Fang-Den-Shui which is famous for stealing money from the rich and giving it to the poor. Are you ready to prove your value?

To successfully rob the bank, exploit bank_robbery to make it print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • Can you configure your panic() function wisely?
  • Are you able to influence the allocation on the heap in a way that you are able to overwrite something nice there?

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 21 – Simple Heap, but different (8 Points)

This exercise uses a simple implementation for malloc and free which you can find in simple_heap.c.

Exploit the simple_heap binary and print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 22 – A little printer developed during Xmas (16 Points)

Our developer team just built this little printer during Xmas. We hope you enjoy our printer while the baubles are still dangling under your Xmas tree.

Yes, the christmassy theme does not really fit the summer semester anymore. But try finding something summery that dangles!

Exploit myLittlePrinter to print the flag!

Once again, edit the provided solution template and explain your approach with meaningful comments!

Furthermore, you must exploit the leak in the binary to calculate the address.

Hints:

  • What do you know about dangling pointers?
  • Do you remember format string bugs?

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 23 – Some Poison for the cash machine (16 Points)

Money is not everything, but with money everything is more fun. Therefore we want to use this awesome cash machine to get our money printed.

Poison cash_machine in a way that it gives you a shell, and use the shell to print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • Have a look at the backdoor function
  • How can you set up RDI when invoking the backdoor function?
  • Which functions offers you the possiblity that your allocation gets into the TCACHE?
  • Can you see the diference between the cashbox_delete and the cashbox_update functions? What can you use after that?

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 24 – Admin RE: Bad Characters and a Non-Executable Stack (8 Bonus Points, individual Task)

Look who is back! We could not let this neat task go to waste. Here is your chance to earn some bonus points if you want!

Task Description

Your task is to exploit a simple bug in exploitme. But there is a problem: not all characters of your shellcode can be used! Also, the stack/heap is not executable, so you have to get around that as well.

Your task is to:

  1. Write shellcode which prints the content of flag.txt to stdout,
  2. use the mprotect system call to make the input buffer executable again to run your shellcode,
  3. inject your bad-character-free payload into exploitme so that it will be executed and print the flag!

Your input should look like this:

1

| open, read, write shellcode | .... | mprotect code that makes the input buffer executable again and jumps to the beginning of the input buffer |

Finding Bad Characters

Use the exploitme binary and try to input data that contains all possible bytes:

1

\x00\x01\x02\x03\x04...\xfe\xff

Debug the program and see if the complete input ends up in the input buffer.

Nothing there? Then the very first byte might be the culprit.

So, remove that byte and try again with \x01\x02\x03\x04...\xfe\xff… maybe this time you see that all bytes up until \x0a (a newline character) end up in the buffer. Again, remove that byte and continue with \x01\x01\x02\x03\x04...\x09\x0b...\xfe\xff. When you reach \xff you just collect all bytes that somehow destroyed your shellcode during the injection (e.g., \x00, \x0a). Those bytes are your bad characters.

Solution

Once again, edit the provided solution template and explain your approach with meaningful comments!

Your solution should execute like this:

1
2

$ ./solution
FLAG{...}

As always, comment all of your code! You do not have to automate the step of finding the bad characters. Just add a comment to the solution file to describe what you did and upload your helper scripts if you created any.

Hints:

  • Remember that the read() function is not putting a NULL-byte at the end of the string.
  • Do not forget to submit your shellcode if you craft it by hand.
  • When using the encoder of pwntools you can provide unwanted characters in the following way encoders.encode(shellcode, avoid=bytearray([0x00, 0x0a]))
23 Jun 2023