You’ve got one silver bullet, pull the triggle carefully!

nc 7331

Let’s check the file information first.

The file is an ELF 32-bit LSB executable. Let’s look at its protections.

Its stack is not executable.

Let’s decompile its main function.

First sub_80487C3 gets called, then an input up to 0x100 bytes is written, but there is no overflow since the buffer is located at [bp-108h]. Finally, sub_804872D is called with the buffer.

Let’s take a look at sub_80487C3 first.

It just schedules an alarm signal.

Let’s decompile sub_804872D.

Here we have a format string vulnerability at the printf call. We also have a buffer overflow at strcpy call which can overwrite all the local variables and even the return address of the function. Notice that a function pointer is stored in v3 and gets called after our buffer overflow which means we can change its value as well. However, it compares the 4 bytes above pointed address with 0x4EC8310 before calling it. It has a similar but slightly different check for the return address either. Therefore, we cannot jump/call wherever we like. v3 is just 20 bytes away from s1.

Let’s set a breakpoint on printf call.

The buffer is located at esp+0x50 which means we can set 20th and following arguments of the printf call.

In the binary I found the following function.

It calls the system with the parameter command. We need a way to call this function. Let’s search 0x4EC8310 in the memory to see the possible addresses we can jump using the v3() call.

We see that we can call 0x80486c7 and there is a function located at that address named sub_80486C7. Let’s take a look at it.

It calls sub_8048695 which is the subroutine that calls system, but it requires dword_804A02C to be equal to 1. No worries, we have a format string exploit that can simply write 1 to 0x804A02C.

Also, command is a global char pointer which is stored at 0x0804A030.

We need to write “/bin/sh” string’s address into this pointer, but we don’t have a “/bin/sh” string in the binary. Still, we have nothing to afraid, our format string exploit can write it into somewhere  in bss section if we can simply find an 8 bytes of available space. Let’s take a look at the bss section.

We can simply overwrite the bytes at 0x804A020.

Now, we have all the information that we need to write our exploit.

Let’s run our script to get the flag.

Here is the flag ASIS{afcc54e5d52b476e2edd697afabec83e}.