History view
Writeup - From Format String to Buffer Overflow
PKTeam
Recon
First of all we see the protections of the binary.
We have several problems. We can not execute code in the stack such as a shellcode due to NX, we can not overflow without having a canary leak and if we want to attach with gdb we have to bypass PIE as if we want to do ROP (Return-Oriented Programming). We also need leak of a function to be able to make the corresponding calculation of the base memory address of libc for the ROP. Taking a look at the pseudocode generated by Ghidra, we see the first vulnerability a format string, cool!.
We test the software and observe how we can leak the stack with format %x. Therefore we already have how to perform canary leak and bypass PIE. We must check another thing before continuing and that is that the binary is dynamically linked so we will have to leak the address of a function to later know the base memory address of libc.
Reversing
In order to make the different leak we have to study the stack and see if it meets the requirements we need. If we do AAAA.%x.%x.%x.%x.%x.%x.% x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x there is our output:
AAAA.f7dd07e3.f7dd18c0.f7af4154.28.0.1.55554ced.414141a0.2e78252e
So we have our 0x414141 in eighth argument. So we can use this AAAA.%8$x to leak our A's.
Leak Canary
We start first with the canary so we execute with GDB until after the printf function call. Canary value is in stack at rbp-0x8 and if we check the stack there will be our thirteen argument: %13$p.
Leak .text memory address to perform PIE bypass protection
With fourteen argument: %14$p we can leak .text to be able to calculate the base address of the binary elf and then bypass PIE. It is very useful to do PIE bypass since it will also allow us to attach to gdb in order to efficiently make the exploit.
Leak memory address of function to perform leak of base libc
With third argument: %3$p we can leak memory address of write function + 20.
We can write our script to perform the corresponding leak remaining as follows:
Libc base address and elf base address
To calculate the base address of libc we must subtract the address of write-20 leaked before minus the offset of write libc. To know the base memory address of the elf binary we must put the last 3 bytes of the leak to zeros using the operation AND with the 0xfff mask.
Exploitation
Then we see that after the scanf function call to know our feedback we have a buffer overflow discovered after a few attempts and step on the value of canary giving us a stack smashing. There is a space between our feedback input to the canary of 24 bytes then 8 bytes for saved rbp and return address.
Exploit with ROP:
Debugging ROP:
It also mentions that PIE leaker is not necessary, with leaking a LIBC address.
Then I'll show you the exploit of my friend @alextaito99 and thanks for doing the challenge together:
'Pwning in Linux' 카테고리의 다른 글
| Writeup: 3x17 (0) | 2019.03.27 |
|---|---|
| Writeup: echo2 (0) | 2019.03.26 |
| Secret Keeper - Pragyan CTF 19 (0) | 2019.03.09 |
| Writeup - echo1 (0) | 2019.03.01 |
| Exploit - Two targets pwnable.xyz (0) | 2019.03.01 |
- Total
- Today
- Yesterday
- stack pivot
- Windows
- buffer overflow
- format string
- pwnable.xyz
- return oriented programming
- fake stack frame
- x64dbg
- GOT Dereferencing/Overwriting
- canary
- theFaunia course
- arithmetic overflow/underflow
- open-redirect
- use after free
- ASM
- Call oriented programming
- write primitive
- dnspy
- pwnable.tw
- XSS
- cracking
- one gadget
- leak libc
- hijacking redirection flow
- html injection
- shellcode
- Backdoors
- leak stack memory address
- 32Bit
- Pwnable.kr
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 |