A tiny program, protected by some Python code. The flag is in: ./flag.txt
my analysis database s.bndb
This binary is run by a python loaders. python loader is acting like a debugger.
Everytime a breakpoint instruction (
0xcc) being executed. python loader will check next byte after rip. And determine what to do next depend on that byte.
for example, if next byte is
0x48. it will replace some register
otherwise, if the next byte is equal to some other bytes. it will do a canary check manually
it did have canary check. The canary values are actually saved return pointers. However, when comparing return pointers, it only check if return pointer exists in the stack. So, we can still modify the saved return pointer to the caller's saved return pointer.
Bascially, the binary contains 2 main function.
decrypt function calls a function which read all bytes until it meet a new line character (
\n). This is a trivial buffer overflow we can use to modify return pointer.
using this vulnerability with the previous one, we can run
main function again.
_start function is essentially a loop if return value of
main is not equal to 1
encrypt function generating random values by reading
/dev/urandom. And store using input is .bss section.
it also use a global variable to record index of the data array. everytime we call
encrypt, the index will increase by one.
normally it's okay, because we are only executing
encrypt function once.
however, since we can run
encrypt function multiple time. we increase the index value until we overwrite
/dev/urandom, and the program will print out the flag for us!
from pwn import *