Tags: string-format rop

Rating:

# Botpanel - Pwn (300 + 0), 17 solves

> These cyber criminals are selling shells like hot cakes off thier new site. Pwn their botpanel for us so we can stop them

In this task we were given a binary and host:port where it is running. Connecting there we get a banner
and password prompt. After analyzing the binary, we notice that there is a format string bug - typing %s would
either crash or print garbage.

It turns out the expected password is stored in a local variable, so we could use %7$s to get the correct password echoed:  Panel password: %7$s
Incorrect! 4 attempts left

overwrite it using %6$n. After doing this, we get "registered mode" menu. It allows to send invites to arbitrary host:port - which spawn a new thread which connects back to specified IP. The invited menu in turn allows to send feedback. The feedback option first asks for length, then the feedback string. It is immediately suspicious, but there are checks for the length being in reasonable size, so no obvious buffer overflow is there. However, the read buffer length is a global variable, meaning we can send normal length in one connection, get it to pass the checks, then send large length in second connection, and finally send large buffer in the first one. This allows us to overflow the buffer, overwriting the return address and allowing the ROP. There were a couple of other roadblocks still. First of all, there was a stack cookie. Thankfully, on Linux the stack cookie is constant for the whole process duration, so we were able to leak it during the login phase at the start, using %15$x. Second problem was that the ASLR was turned on, so we had to find the address the binary was loaded at.
We did it in the same way, via leaking return address during login procedure: %19\$x.
increments (bytewise) puts function GOT entry so that it points to system. Because it is bytewise incrementation,
The whole code is available in doit.py.