top of page

[KCSC MiniCTF 2023 Writeup][pwn] Out Of Bound

  • shinkhong97
  • Sep 16, 2023
  • 2 min read

Updated: Nov 4, 2023


ree

This is one of the challenges for beginner pwn players form KCSC.

Netcat to the given host and port:

ree

Inpect the given binary:

ree

ree

ree

This is our target: function getshell()

ree

ree

The flow of the program is as follows:

The program allows users to enter the size of the buffer that they want to read off the stack, and then print the value to the standard output. Again, it allows users to specify the size of the buffer that they want to write using read() function (buffer overflow here).

After taking the first look at the binary and inspecting the flow of the program, I finally came up with an exploiting idea: abusing the value leaked off the stack to get canary. Using canary value to build the payload, overwrite saved RIP value (return address of function read()).

Buffer is 0x30 bytes far from RBP.

ree

In the x64 program, the canary value (if have) will be pushed right after the saved rbp value (and similarly with x86)


ree
Reference: Click the picture to get more information about canary, especially bruteforcing its value.

Initial value of buffer:

ree

The address of rbp is 0x7fffffffdb90, right after is 0x00007ffff7dff18a (the address of an instruction in libc_start_main(), also the return value of read() function). Of course, the value

00 15 73 2a 3a 03 84 e5      

in 0x7fffffffdb88 is exactly the canary that we want to leak off. After entering the buffer, the program will check if the canary is overwritten or not, if yes, it will cause ***stack smashing*** error.

After entering junk byte 'aaaa':

ree

My craft payload and exploitation:

payload2 = b'a' * 0x28 + canary + b'a' * 0x8 + p64(ret_addr) + p64(bin.symbols['getshell'])
ree

And the result is:

ree

Case closed! Have a nice day, guys!



Comments


Drop Me a Line, Let Me Know What You Think

Thanks for submitting!

© 2035 by n33r9. Powered and secured by me.

bottom of page