Hello guys, this is another write-up for both challenges named (pwn intended 0x2) and (pwn intended 0x3),
I didn't exploit them using the intended solutions, but rather I got a /bin/sh shell in both of the challenges and just cat the flag. You will learn the gold rule that solves a lot of PWN challenges with one technique if you have the requirement.
Let's begin, as usual if you don't have the binaries downloaded this is a link to both of them :
https://github.com/MaherAzzouzi/PWNing/tree/master/csictf
Let's begin !
File :
I renamed the file to just "pwn":
This is the file we're dealing with :
- 64 bits binary
- Not stripped (easy to reverse engineer the binary, functions takes their names only and not gibberish names)
Checksec :
* No PIE this means the ASLR don't apply for the binary and the binary addresses remain the same always
*No canary found this means that it's easy to overwrite the return value with value we want.
Reverse engineering:
Let's open up ghidra and give it our binary, and filter for main function and see what's happening there :
As you can see the binary is easy and the vulnerability is clear :
- The binary is using gets to read input from the user to an array of 44 bytes.
- If the integer just after the array is having the value -0x35014542 (this is not the right value you can get it the right one using gdb), you have the flag, great !
so the intended solution is to send this : "A"*44 + "\xbe\xba\xfe\xca"
For me I want to get a shell let's introduce a plan !
Plan :
So the plan is to execute system(pointer_to_bin_sh) right ?
And because system is used here to cat the flag, we have the address of its plt (don't get confused it's just we have the address of system)
We have the address of gets too
And we have a stack overflow, so we can pop a shell :)
The gold rule xD :
If you have these : system@plt, gets@plt , PIE disabled and stack overflow.
You can pop a shell in any binary
What we will do is this :
1) Find the offset to the return pointer.
2) Write /bin/sh to an address in the bss using gets()
3) Return to main to get fresh overflow again
4) call system using the address in the bss where we wrote /bin/sh
The exploit :
For the first step of finding the offset this is my technique :
Press "Enter" :
As you can see the offset is 56 !
Now to write /bin/sh in the bss first let's take an address from bss :
You can take any address from this region :
I'm choosing 0x4040a0 randomly.
Then I want a pop rdi, ret gadget to set rdi to the bss address we want, in our case it's 0x4040a0.
And then call gets with rdi pointing to the bss address we chooses (Because gets has one argument and this argument is a pointer to the destination buffer).
And then call main again.
This the part of my exploit that do what I said :
Let's see this in action !
I will run my exploit until what we achieved for now :
Open another terminal and :
Go to gdb and press ctrl-c :
BOOM we have /bin/sh in an address we know !
And we have returned to main again :
Now all we need to do is a simple ROP chain again but now we will use pop rdi; ret again and give it our bss address that contains /bin/sh and then call system.
This is the second half of the exploit :
And enjoy !
Let's run the full exploit :
For Pwn-intended-0x3 the exploit works the same I just changed the BSS address to the one that suits that binary.
Comments
Post a Comment