nyupcs / pcs-sp21-lab2-server

0 stars 0 forks source link

exploit-main #77

Open huyuxuan2020 opened 3 years ago

huyuxuan2020 commented 3 years ago

-----BEGIN PGP MESSAGE-----

hQIMA7KtScPIyW/lAQ/+ObmlPS5tHyjjiG3LISdZO1+jCBfoS4zdX9nyFwWNnAR8 U2mvsOIqoD4opODOTR7qYKivK3UHLWl76DKjD54rnFSebxVKR9/pU90H8wBgtn3r xXC3lJsvPeEUukXr8AOMHtHGtFnUQlEZS/Ua63f1gNl3LXBehNtBoJhx9gVpetMj e5ZoqG8HY3qqeGTZA/bmW7iz/xxgL9iJkswQGHrBli92AZeq+I8wXUzmeagDpkGz yBu1585L2RTlxqCtqA6YbpmMgnnTLV/6PJKUtgP1xaWMN30/zoCyW91tDS+P0FT6 Ks38FHt22vVj6ZFdWlXHjT/ZQR0zmESzixIvipE9bzLaMg0fyaM16fr+gj+QGFXc 9tzAFUALRyHHI5fl6/jGxmKgaQrP618UdjNV7FpFvBSQZLlVQh6CN8dxj9kpzSAH ay7D+Yn/LZgER+MA6gKQXlaAOmyAqru8KtCn2vUG2vfvgOV1VhSvQKueplqQm6jQ VwJx6DQ7xVVCGvzw1AkaB/QZcbUT4WFsw/gsg6XfpO9JKhtzlL2Y+axCY4itof2s +BoAQf+CcgZKRQhgWuqZKPYRuy+pHejz1UtQDcZQfdmujG2O74z+PIhgWkVjtmrP ErEaBbhsif5nZO278RokbjCjkhRwo/HX4tvmtXA0TvjwM+YB+kE8YMAaHrZ0kTnS 6wFDuKV60VWcXSxaGoImbHLdD8YkTFsHtKUGmc9PDEG1G19KCiD6pzN4Nw5CCKun Y1zSw++Kx2FvSk8J0v7kIMIR0D6feJROKf+CKtcz22qSbNnt/m2h763G0puP7vWi a2QHeLRH1p/e71lIHyCV7+wWCMmCke6fblj26gv386trh6lybthJm01nxdOe5Y0k yGMZxiE1VmrlPaXD0W0cKAxiGyUrZtA0rXDo/3S7z8BrFeX16RuMLC8+gg9h5lNX SwEIloYbgFkRjBjMlJ3r6cEXLO+2bylZAVH5S+FSb62D8AUN2hlDQj1z3I7juAlS sZxLIqeQrEgWey3S1K5p/ay2+oHzFOOG9RoeTp46IMRBWYGCkTjX8HKIvzgoVTIs 2/eyJ38Jr2e4riQWTIENQd13WsYyaOjC6kozwDRg4qtJmhRgiusZxlCygIVtAdmz AS9ATzpq2nUUf8ZyjFWY9JZxtRMd1Mb6xx29yzeBNWLQlVNqtWfxWGQTHGVQWl0L 5Q4cOhf9PCxCkWUl0DdxnLcUS7Lk19k8IdlKGbm8DSVN+S/tm0nTY9BGP1l+aAEG kFudU5R1YIkN5LFRfCl8bjf3/wQ5ucUYQzTFCsbZp9o3uc5D91Yqx22Y7p+sN7Jr IcaizRkexnW0+Zkgrbg67Et5jyNw8tjSfGUidamFRJVHWIaeo2kdlYadFAL91H+J PoopI3H82XLAXWPG0O6A5UaYQKFRITliV8ukZYadm2qigBzATYO5THSo0+5HDtk0 M1pG1DPEQkJpDA+/zjkccImqab+vDWvumtNzjwSEhuQQAzVSOqfSTH7ZvDITma5M qU+Qnpkp+kSzEFuhs+0WoggccTsGHXUx/rLjSbc4vhYxyvbv/86JGdrq3t2ZIBWC b7wzr8HzCU9yEYGIofAFGvGnKk6Nj8RZoJ0d0FYLpKzDlz29cxEsThxaVprouIt2 gZsm/sRKDEVOfNBUCyMW454DdPvS/soEPe8uR17ZNzzIqpxRCpnd+bpTwUwRK4Km 0G6NWfc4LDEhi56GFTB1gLiwTRUM983nQNy+ww3aBleXlOvkoEVp9zvlD3Fa7jdc MAVEYOePYjdxGwisQe1bNnbR0bC0qmG9IlbiUly0T6zSf5YBHg+xSuirCWLgynjB 16zHdCRJyXqRMKbd6R2DqD//NhXSABnsyLzFbJ8+Shajkwy4o9QEZXj/5FwnOE+0 JTb1VcnIFl1S3HnQG4pbn8wFEi3hQ6eFuN1O2sQl5Bi/k5Enq+PP4Py1X8vJLGfM Z6HljfkQ2gMVYawuac9iBL7lIuY3kbHRL2QpxIzO8GXFMa2Ug1HAuYhR+ltm9mp4 mUrqN8HIZlS2ziJCiXZeZBZDqgr22mrr3ukByRqO0avQ2htka8v2pRz7h2PAFz4j /ZbsT8HQEwleSETVc2VwEx1K06MGcTpn4MY0PnTMGa5ZYKG4EeFSYfoGuFDiG6ey YFIMNNPc4+IObfHyDGeh9x97CECbKcF0GCnOpdHb2vGn0LYP6T7YWNAxn2krIjeR 6upqoc1qYpecAtUdHRItYliJe1bFw1BOPTBtHlpgaJqvzvMnxj3wODXjiQKEDhEZ DhpoM/nYYkBbA1VQC5wNdLB9wiYHNbdXlYln8t5mJb3/K4FnjAsL+ZKQluuFuGI+ ngPlOevl/9gkYCEyfw+tmY4W7SIqzioSMuDC70BVcXM8c4LN/V1fzSY2OS4zFa7r O2rpe7dYqiNriW8tEOUvZ1wwEQ79KF0OBomDFpIZK91HwnhMR/SjjcO/Fck+7Ru0 S9Q7du24g5CqjQVhZFzSBGM1nx61kIfXaaXIO2Vo3Aq+LLou/QGT8HrTGQ6sEaT1 pMH5HaiDU+5QitD3A6NBXkclJnQswnAz3+3yfMfTEDl2e1wnPJ1BSywdDtHZL66v iRQ87XlXQl3/UXa4HUQYqIKzkbd6aUS9mRvbJG6kmy4f/JiSdA0S/fgJN6Lq6NfH FFFDoY6ldF58971ElOX8LRtv1FyD3zZMlwpX7x+SX+2IY+c8SNX0qJ+hkI/fkN0J 6Hd7jBiP0CNv5gX23j3yrlq9d9QMkWrb1LYX6rtFiRSgROpIC2clZ0x+7tb1COaQ fbE/tV8ddqKLcw3TsNHdVqBvUuvizcPreKVhfHt1gxWsmUlmpEK8NuZViueMDr9X IGOK98fBGQVRXsCDModOA8Z2G9Nw9YwoRxvwsUkA7TyVsCXq4ZtMr2IFcEjn526f RxR6ozlMDmKBYF22g6nzndG1c0GwsmpfIhlJCsoNHmnoGaaUnAkwK0n/mM/Oz9tx 85bRupRzUBkrTG5CuaWndv4LP2/FHhgLV8vNlk7tTkynHNZCCsjcTeGpXE/h0Hea jk/gegk1bUkOvRAk7S1qI9sqzctam11Szo/HXFoXA+XXLtv1b8OV68Gqeja4Q9v6 E90UuYdPmcsEKVcnvPfopfbQDXwWyY4UX3o1bdVGv7X6xR4RqLxOC3fsK0OgXPwi s2t8zRJHQPY1LYDPPvIfvnfp4sOqABEBHBJNakqCW6xphIexgq/JAPNR6m6SV3e6 LXXCkiJXkHtLmQez1EvJWho1TUOVzoU9qM+PMBx8Ch260c3zoSHBHrLCozovBO21 Qns9FfpN+nIoSnJPy3TZke2G6bZd3V4YQFnbIQJNRKJmpfczf+YoxyQ9B9nQeGjx QPVwTs4chxBUPmC5o5gAnDsuF2/hoDOzCUu6zb3FILcfwEAep4qeXAas8ua286a0 Ls8rnkY2v4v8ykZ8skl4eUT7Lm11GMAJ7fxV7nOQsh5FfshYPD22qhK9xy0Zt9ZV PXpF/HvzF88kLCwfiW71f9WDnF/zM0BR13L3As5fOUIBMqCFl3niqiENM9O/Ugrp fHwI3m/N7OBk/MJKAVr/ndfmgTmMoTmp09MEDn4WM4agRY/z5luxUbmASGT1KTSy VggARIJh6DGN0JuIJE1g0siemqQv93RQ3RXsKnjT8AZSRKBgJHXYlZiCASlTxf26 5q4PDu6GymgMAvMbzzo1WmQgMAHty8ZQ+37HZ+LMbYJ30b1Alp43NqJxSzL62SZz 7ouk =eZID -----END PGP MESSAGE-----

huyuxuan2020 commented 3 years ago

My NetID is yh3773,yuxuanHu, and my pub key id is 623D9B99

huyuxuan2020 commented 3 years ago

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGAtXA0BEADLQ/r+jEFwmFVNJOCYJBjhbCompijmQqW/Tz1ZupVCzRMa+oeU lfnStO1LXGSZvVLqwEhf49NfthlfvEmdpi9ylPZAm3SOcaqzkuBRXg+XImU9z1gt K/H9exdEaaWJTP9P+5QHvBV01MsyoSA6PkZAjizxqIx+1rySM3zmOD4CKOt+U4kB ubPVMeulMmhdaJME795DL2kQd65Srrxa1Qrh/2hirV0ew44CHtEHD33ZuKQa35Mn JDeE3rVYbiifJs6zwvLQ9voU0tEworea0Ufy37bscPPkflbaY3qImd408BolGV4v 1Ma2R7dMiWJ8HCLOXCGBaj2xXQh7We3x1k3HakWpgpAZI2EpszpND/r/+QJ8+zr8 3729Spgv/huC7SUtCEJH52cxRx26OKa3o0Fj23eKk8gGrKWySW6GBtbTtCzSovxH tClthrNvA26qzlOp8nseyN80cAojv6Fif2e2k7jVdhGsBjFAiJgzfSnPLoxbrMOq +R6EujN7TwMrx9RspmhStNlbvaH8XR8N3Wjj6mRQvig078YOVXJoEhgiA6l6HjZE taDNl7zXmT9j9jBOYPxkY5I7JH8d2VJF1fx8bVgPXhUl5pPZJE44Vg2mK5lcZvKT HNSWJNfkBoOnpaooLSj9kSiMNmNbRsudLMluna/PbapGZLc+P5Giqn8VPwARAQAB tCF5dXh1YW5odSA8aHV5dXh1YW4wOTE1QEdtYWlsLmNvbT6JAlQEEwEIAD4WIQQG ItVl1cU3PO5dXdCVXTzgYj2bmQUCYC1cDQIbAwUJB4YfVQULCQgHAgYVCgkICwIE FgIDAQIeAQIXgAAKCRCVXTzgYj2bmbC8D/9so/juedlifAX31bcUhANo5JKGUBMp XbMBmqM5826L3QEScPAOlbLBLPyUENq5SiWyVZ8Tl93FkP0iBJqJr7s6dsepq1d8 64OAMMTXsJJ3WaxVoFLVD1okjJXP1/7JO2vQQkisvrBFSI90il5RtzRcDpH0FJsk UijKt3WVir4A43l9IoRZF7H0ySx+m6/AgTv3A9pqp7oPzhbhsAoH1rKRBjKsO+ki 36nczdx4Vx1eqAgOstXjYLkATOizScFnFlh9JhmmtdtYa8w642XSZVxwnMM8Dcsr CC8OE7st5mOlUcZd7gL8iJ6Ckjxx7oVs6jT0pUu2zrVMxqgnkqNx80zTOVWkJ6v2 axgDEyp+YIHlaVB+EEuvFNT+8z3CefKI8JjiQW4leCVOsWoJwVZEHEod1U8LjmxR PBsc824BUA+bnJIIHC4xPOWHC4zuXxqSnA3lozWItuAaFdT1dqhdOWnFqcxALy6D ccVlaKicJjDE8r/NDIbrWJM25oRzZqlKyYZp43kIRNhJ/eM5MRZ+lEVgMPNmgdak YYebjfdIcXEZJhGEpPnS06u2h/WnPrTWyLBZhIfnCJGeRgrMcFfGd7a68L95+1Nn iEijTcaQ9IvUcYb8AAry/f6R7cHUJ8UI2QoG6XbPLL+kRBasTFKTHJMVI65ZRYpB 8N5cNtstxhb/SLkCDQRgLVwNARAAkXAHdgoQwqoOXMPmvxGT+X5iVoeQ3myKJ3Cx pCZBvxgfUp9Fvx8ZGtWUt9dv6ZIz0nAkVdA9e45R/cwrUsBUu1tbPxSwvjz2q4eN CKyzO8eyndReL9/C6HuI4fN4k7X9VeOhUzx6PrFl1NC/hJIGtfj9gpYhLbUh4uPX buzoI2+k08HvVjMmqTrdaG4nF3Gimza7tSeSpT7R7z51pe1Ix/8MRKSPqMbbXNsK xnxZ1Hs7MG5T36Lj6hHzOdYMNjckVCXB4hsMPDeAUscp4MD8GA2ZZqnuZPrJQ4I8 nIrRmjfmmSkB1wqHrlgISE/YAeC3X0cnuOUoFDmcBPuc77VX4uEYaNA5FQYAnL9u z3kHtlAE9XSS2RPmrxZ0hezbJ9MUqI0fecT2RRnqvavnVx6YNdAXM87a7p2+8EML 124z5tvTLD6vubqqcOLTiSkMbqF6PN/a63J1B/qBW+K3r1gHYylppS6y5yE52NjB 4ET2Oyg5djcXStO1N+r3U3GpjDDL6qPiBb6dIkP9JiR+SIfpgXQ25tn0lbrxMQPu TMr084MEHCz8VmejOyjf6mP80zeBzj6h3IhY5zUs1f2IcnSWKCT0PdsMu7JtiQoI G7oazOmKfziKREZaxK8i9hQSLsDb4vDgdWVqUl0+Di/HiPxKZiLXfxHNa0QxKacw kGNpYvEAEQEAAYkCPAQYAQgAJhYhBAYi1WXVxTc87l1d0JVdPOBiPZuZBQJgLVwN AhsMBQkHhh9VAAoJEJVdPOBiPZuZv1oP/339RHBGkMcPi4lXGtca/6kKHI1lQUK9 9XIZlhwCoIlTW/tF7Mxt8jeOJZnHU2qf1lUNb3eSwH2qIydxhHKIg8PpwZThXgq1 I/AKsANz9oUr+3wKWLm0+o4ny3ZNaSiTH+ijRjC3xCH3+34ghKvJW+vpY4YWxEdk rpHJ9hN8z0Z7k4IW+Gn5N7THCoumqSi8kWGlHdsbqTA1e2FaJb3HowlNRVaUQX5I LqKhSqGWpukn+L1IpmMnEZzPKlXEJg6P8eXPPZ6MMzcIRgjIuw/smsr0QKasJKhM U4SNzBtCg7yV2xzxoCUBbU7YfGCItwVcceQ9NKZUN1pgblkSy3/HlSdRU8A9KKx6 XUmgx+WJtInAT9MnDlpfiKBagTOEIN3paECwhdVu7Frp+oyHUEZ9bUKpVDTqlEoq e4fYCsn+haEjvaz+txwaKWFkrbwqIM/n0ttEi/yWbnn3kkKSVXgFolBaw2fG1g6i NHjeTafzDJl4m94V2VU9GqkvxXU0QpVuG6PA/PC5Zq2Ymd/kM6MS+LjuNbL34phO Jtk2qU2zVp+AJtdV/3GWPAIaEzvuWZ4SDJCjM7zDlrHcjVkbNCOFXSsEFPdmyH1y /Gq6zkGKr7f6sOQJLxcDNsYTIBTac1fq8T8l5a53vdgoFjpQAx8BIaY1FQI+r/kw Sn1hns+lhad6 =boSn -----END PGP PUBLIC KEY BLOCK-----

ksmaybe commented 3 years ago
About exploit-main (exploit-service branch)
[*] Starting service from pcs-sp21-lab2-server (branch '4e3e44b6a6e102115dc4a1908890817d6c64b3b0')
[*] Failed to start service
#1 [internal] load build definition from Dockerfile
#1 sha256:62f7b0da0d7ba8ab841139210ce08f955034924f97a9cbb576528bec7d44a8fd
#1 transferring dockerfile: 1.48kB 0.0s done
#1 DONE 0.1s

#2 [internal] load .dockerignore
#2 sha256:e3db564902b2cf1b15ba9fe750ca6a78fccd9275eb34e677a8bcf4acddb0ad74
#2 transferring context:
#2 transferring context: 2B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/i386/debian:buster-20201117
#3 sha256:75a539c8c393dbf6f00775110fb2d8912abfeeb171f3fda973a23f6f7f79ba9d
#3 DONE 1.4s

#4 [ 1/10] FROM docker.io/i386/debian:buster-20201117@sha256:0ea86907b0bde94cce2b66db2ee41d32dd420d8c6aa5afce91ddbaaa70d9af12
#4 sha256:4ea7fa44a29b4a4d9ab0aba13e61e83eb47ed268d4e04e91ad97d4b67cd944e1
#4 DONE 0.0s

#7 [internal] load build context
#7 sha256:25a5c21044111c5d4426692c1b4e6e8d0149e5176bb72b8a42d49ec9be69312b
#7 transferring context: 828B 0.0s done
#7 DONE 0.0s

#5 [ 2/10] RUN apt-get update && apt-get install -y         make         gcc          gdb         procps         xinetd
#5 sha256:ed119c10e5d76b1922fa6f9cb6490eb44a8b09805ac035a3229fcaa197927a88
#5 CACHED

#6 [ 3/10] RUN mkdir -p /var/ctf
#6 sha256:9d623fc759385c1ddbd51d96fd1dd042e50448aa5f2b0a0cdf1a35e28c9f578d
#6 CACHED

#8 [ 4/10] COPY flag /var/ctf/
#8 sha256:b0342f6a9663213f4512e9c7772482b96c244562a656ad228f48fffcebfc68f8
#8 DONE 0.1s

#9 [ 5/10] ADD /service /src
#9 sha256:99f5781d7c903291538d99297319f384d94c65fdf0f2c6b8903976bc6c2e14db
#9 DONE 0.1s

#10 [ 6/10] COPY echo_service /etc/xinetd.d/
#10 sha256:2e4929453decaa6a2b30511b46a6acca4d48c4296ea6d165b7f43f3624a7ab3e
#10 DONE 0.2s

#11 [ 7/10] RUN cd /src; make
#11 sha256:dded319f95c4f986a7d9512d4eb5ecda0e6335cf19c11960896fb7ff7c66366b
#11 1.099 gcc echo.c -z execstack -fno-stack-protector -o echo
#11 1.169 echo.c: In function 'interact':
#11 1.169 echo.c:11:5: warning: implicit declaration of function 'gets'; did you mean 'fgets'? [-Wimplicit-function-declaration]
#11 1.169      gets(buf);
#11 1.169      ^~~~
#11 1.169      fgets
#11 1.273 /usr/bin/ld: /tmp/ccHE32Zq.o: in function `interact':
#11 1.273 echo.c:(.text+0x30): warning: the `gets' function is dangerous and should not be used.
#11 DONE 1.4s

#12 [ 8/10] WORKDIR /src
#12 sha256:0d8a06f984bd24242e8d195ba5de71431d95bcb4c7de25dac35144ca968d29a6
#12 DONE 0.1s

#13 [ 9/10] RUN echo "echo_service 4000/tcp" >> /etc/services
#13 sha256:0bba6d1c56119b241483fef7624d294cefaf301022171e31ae788785e29f5c69
#13 DONE 1.0s

#14 [10/10] RUN service xinetd restart
#14 sha256:e66996a9240bac6347e1f042d4ac020afca0d324ed9a4cdeb50c6099f0b263e2
#14 1.255 Stopping internet superserver: xinetd.
#14 1.314 Starting internet superserver: xinetd.
#14 DONE 1.4s

#15 exporting to image
#15 sha256:e8c613e07b0b7ff33893b694f7759a10d42e180f2b4dc349fb57dc6b71dcab00
#15 exporting layers
#15 exporting layers 0.2s done
#15 writing image sha256:34a6acced8616e9afa8f9a6299d9c47e522b869394e7891b20a1ff9bd20f2305 done
#15 naming to docker.io/library/pcs-sp21-lab2-server-4e3e44b6a6e102115dc4a1908890817d6c64b3b0 done
#15 DONE 0.2s
WARNING: The requested image's platform (linux/386) does not match the detected host platform (linux/amd64) and no specific platform was requested
docker: Error response from daemon: driver failed programming external connectivity on endpoint pcs-sp21-lab2-server-4e3e44b6a6e102115dc4a1908890817d6c64b3b0 (5802faf96c70137e50164f7e4fb0d56d0d966d11e17283b30cab5b247eb94c70): Bind for 0.0.0.0:4000 failed: port is already allocated.

==========================

[*] The exploit did not work.

ksmaybe commented 3 years ago
About exploit-main (exploit-service branch)
[*] Starting service from pcs-sp21-lab2-server (branch '4e3e44b6a6e102115dc4a1908890817d6c64b3b0')
40304b9ece9c15ed34cce9ef0ae5fcebd5ca036baa0870ba93451d7b70a70501
[*] Started service successfully
[*] Running exploit
Learned that buf is at 4289892912
So retaddr is 4289892952
[*] Exploit returned : So retaddr is 4289892952
[*] Solution flag : wIpkkkFMBs
[*] Exploit returned a wrong flag string

[*] The exploit did not work.

ksmaybe commented 3 years ago
About exploit-main (exploit-service branch)
[*] Starting service from pcs-sp21-lab2-server (branch '4e3e44b6a6e102115dc4a1908890817d6c64b3b0')
8212a1527d0b4c08459b93a628e97f396dabd2f87f3b7bdfd00f1ded39fe50b2
[*] Started service successfully
[*] Running exploit
Learned that buf is at 4286952608
So retaddr is 4286952648
[*] Exploit returned : So retaddr is 4286952648
[*] Solution flag : l5cmGQtUkg
[*] Exploit returned a wrong flag string

[*] The exploit did not work.

ksmaybe commented 3 years ago

This submission has been verified. Well done!