Srnr is a binary exploitation challenge of redpwn ctf. Running checksec, we can see that there are only Full RELRO and NX protections, but any canary value.
If we run the binary we can get the output:
And if we insert as input the value 1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA the binary go into segmentation fault. This obviously is due to a buffer overflow vulnerability. For exploit it I’ve used the read function, that is used in the binary, for save the string “/bin/sh” in the bss section (it’s used after as argument of the system function). For bypass the ASRL protection I’ve used the printf function for print a value of the GOT table, in this way I know the value of the address of some function in libc, after that I can calculate the base address of the libc and calculate the address of the system function. Finally, with a ropchain, I return in main for trigger again the vulnerability with a ropchain that has inside the pointer to the system function with the pointer to “/bin/sh” as argument. The final exploit is:
Finally run it: