0x0 Introduction
In this challenge, a binary smol
is provided.
0x1 Mitigation
1 | # Arch: amd64-64-little |
0x2 Identify the problem
here is a simplified version of what is main function doing.
1 | main(void) |
Take a brief looking at the code, we can identify two trivial vulnerability here. One is gets
, which allow us to write arbitrary number of bytes to the stack. Another is printf
, printf allow us to read/write data at specific address.
Since format
is locate under variable s1
, we can overwrite format
with any format we want using gets(&s1)
. This allow us to do a arbitrary read/write with printf
.
My first idea is try to leak the data in the canary and then do a rop chain to get a shell. However, printf
execute after last gets
function. Even we get the canary, we can't overwrite canary because there is no stack overflow bug after that.
Lets take look at mitigation again, the mitigation shows that this program is partial RELRO. This allows us to modify the function address in the global offset table. So it is a good idea using printf
to overwrite __stack_chk_fail
's address to a code address in global offset table. Then, we overwrite canary to trigger __stack_chk_fail
and call the code we want.
Luckily, the binary kindly give us a backdoor at get_flag()
. So, write address of __stack_chk_fail
at GOT to get_flag()
will give us a shell.
1 | void sym.get_flag(void){ |
0x3 Exploits
1 | io = connect("pwn.utctf.live", 5004) |