This is one of the challenges for beginner pwn players form KCSC.
Netcat to the given host and port:
Inpect the given binary:
This is our target: function getshell()
The flow of the program is as follows:
The program allows users to enter the size of the buffer that they want to read off the stack, and then print the value to the standard output. Again, it allows users to specify the size of the buffer that they want to write using read() function (buffer overflow here).
After taking the first look at the binary and inspecting the flow of the program, I finally came up with an exploiting idea: abusing the value leaked off the stack to get canary. Using canary value to build the payload, overwrite saved RIP value (return address of function read()).
Buffer is 0x30 bytes far from RBP.
In the x64 program, the canary value (if have) will be pushed right after the saved rbp value (and similarly with x86)
Reference: Click the picture to get more information about canary, especially bruteforcing its value.
Initial value of buffer:
The address of rbp is 0x7fffffffdb90, right after is 0x00007ffff7dff18a (the address of an instruction in libc_start_main(), also the return value of read() function). Of course, the value
00 15 73 2a 3a 03 84 e5 in 0x7fffffffdb88 is exactly the canary that we want to leak off. After entering the buffer, the program will check if the canary is overwritten or not, if yes, it will cause ***stack smashing*** error.
After entering junk byte 'aaaa':
My craft payload and exploitation:
payload2 = b'a' * 0x28 + canary + b'a' * 0x8 + p64(ret_addr) + p64(bin.symbols['getshell'])
And the result is:
Case closed! Have a nice day, guys!
Comments