In this challenge, a binary
smol is provided.
# Arch: amd64-64-little
here is a simplified version of what is main function doing.
Take a brief looking at the code, we can identify two trivial vulnerability here. One is
gets, which allow us to write arbitrary number of bytes to the stack. Another is
printf, printf allow us to read/write data at specific address.
format is locate under variable
s1, we can overwrite
format with any format we want using
gets(&s1). This allow us to do a arbitrary read/write with
My first idea is try to leak the data in the canary and then do a rop chain to get a shell. However,
printf execute after last
gets function. Even we get the canary, we can't overwrite canary because there is no stack overflow bug after that.
Lets take look at mitigation again, the mitigation shows that this program is partial RELRO. This allows us to modify the function address in the global offset table. So it is a good idea using
printf to overwrite
__stack_chk_fail's address to a code address in global offset table. Then, we overwrite canary to trigger
__stack_chk_fail and call the code we want.
Luckily, the binary kindly give us a backdoor at
get_flag(). So, write address of
__stack_chk_fail at GOT to
get_flag() will give us a shell.
io = connect("pwn.utctf.live", 5004)