Chapter1: Exercises

Clone the repository first:

git clone https://github.com/nonamed01/exploits.git

The vulnerable programs, their source code and exploits for this chapter are located on the creativepwning/chapter1 directory. Try to solve the exercises without reading their source code and exploits first; if you get stuck, feel free to read and try the provided exploits. For each exercise, its exploit is: exN-exploit.py.

Exercise1 (creativepwning/chapter1/ex1)

Goal: Set the value 0x3b into RAX on the vulnerable program ex1 by re-purposing a libc6 function already called by the program (with no libc6 leaks).

Exercise2 (creativepwning/chapter1/ex2)

Goal: Set the value 0x3b into RAX on the vulnerable program ex1 by re-purposing a function within the binary itself.

Exercise3 (creativepwning/chapter1/ex3)

Goal: Spawn a shell by running the command /bin/sh on the vulnerable program. No libc6 leaks allowed. Consider what things you can do with the functions the program calls and its sections. Spawning a shell when there are no obvious means to do so will be discussed in Chapter 2.

Exercise4 (creativepwning/chapter1/ex4)

Goal: Spawn a shell by running the command /bin/sh on the vulnerable program. No libc6 leaks allowed. It’s the same case as in ex3, but this time RDX=1 and you do not have a ROP-gadget to set it to 0x0 (NULL). So in order to gain a shell with execve(); you will need to set RDX=0 by means of taking advantage of a libc6 function side-effect!

If you are not running this example on a Debian GNU/Linux Bookworm, or your GLIBC is different than 2.36, please use the provided interpreter and library to run the vulnerable code and exploit:

mkdir libc
cp /path/to/exploits/creativepwning/chapter1/ex4-ld-linux-x86-64.so.2 libc/ld-linux-x86-64.so.2
cp /path/to/exploits/creativepwning/chapter1/ex4-libc.so.6 libc/libc.so.6
cp /path/to/exploits/creativepwning/chapter1/ex4 .
patchelf ./ex4 --set-interpreter libc/ld-linux-x86-64.so.2
patchelf ./ex4 --set-rpath ./libc/

After that, make sure the binary is using the provided libc6:

ldd ./ex4
linux-vdso.so.1 (0x00007ffedf0a7000)
libc.so.6 => ./libc/libc.so.6 (0x00007fddb00ae000)
libc/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007fddb0291000)

Exercise5 (creativepwning/chapter1/ex5)

Goal: Spawn a shell by running the command /bin/sh on the vulnerable program. As before, no libc6 leaks allowed. It’s very similar to ex3, but this time you need to find an alternative way of setting RAX to 0x3b! Look around, you may need to use a function within the binary this time.