This is the first pwn challenge of the CSAW CTF Qualification Round 2023. We are given a binary for exploitation. Let's get started :>
Inspect the given binary: a 32-bit ELF.
unlimited_subway: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a91c8ae32dffbdc3a706e70158ae362900e2b4de, for GNU/Linux 3.2.0, with debug_info, not strippedChecksec:
[*] '/media/n33r9/Data/Downloads/CSAWctf2023/PWN/unlimited_subway/unlimited_subway'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)Run the binary:
For more details, I loaded the binary into Ghidra:
I spotted a buffer overflow on EXIT function which allows users to set their own size and input the data to stack.
The binary has a canary, so I have to find a way to leak the canary. As you can see in the flow of the program, after entering the data, we have the right to arbitrarily read from the memory:
For each time, we can get one byte, and we have to leak 4 bytes of canary (with the highest byte always 0x00).
The canary value is stored in eax register and then moved to the address of ebp-0x4 (it means it is pushed right after ebp on the stack.
After that, we can abuse the buffer overflow vulnerability to overwrite the return address of read() function into print_flag() with the value of the canary leaked before.
Data is 0x84 bytes far from ebp. Canary is 0x4 bytes far from ebp. So the offset of the canary versus the data entered by users is 0x80
The address of function print_flag(): 0x08049304
The last name users entered is 0x44 bytes far from ebp.
0x08049505 <+494>: lea eax,[ebp-0x44]
0x08049508 <+497>: push eax
0x08049509 <+498>: push 0x0
0x0804950b <+500>: call 0x8049050 <read@plt>Now it's time to craft our payload:
payload = b'a'*0x40 +p32(canary) + b'a'*0x4 + print_flag_addrFinal result:
My exploitation:
Happy hacking!!
Comments