Please hack.

Download:
917b8036bb39196f6a9388b9140eb322331406d1949f1af372fde87a5a5b1aff.tar.xz

Connection:
nc 35.198.98.140 45067

We are given some files including the source code of the vulnerable binary and the libc file from the server.

Let’s start with reading the source code.

It reads our name and greets us in the function greet, then it reads a number as length and expects us to enter a string whose length is less than or equal to that number. Finally, it prints “Thanks, bye!” and terminates. There are two problems here.

First, it does not initially set the bytes of the buffer to zero in greet. Thus, we can use that function to leak addresses.

Second, it reads the length as string and converts it to an integer using atoi function. Then, it checks whether the length is less than 64 or not. If it isn’t less than 64, then the program terminates. The problem here is the atoi function. It returns the type integer which is signed and this value is used as the count parameter in read function.

As we can see above, the read expects the count to be the type size_t instead of integer. The thing is size_t is always unsigned independent from its size in bytes.

Therefore, we can enter a negative number to satisfy the condition of being less than 64. After it gets converted to size_t, the number will be a large postive number and will allow us to enter a huge string as input.

Let’s analyze the binary.

It is a 32-bit dynamically linked ELF file with non-executable stack. Let’s continue with disassembling the main function.

The ending is a little bit different than the usual scenerio. It first sets esp to ebp-12, then it pop values from stack to ecx, ebx, esi, and ebp respectively. Then, it sets esp to ecx-4 and return.

We need to overwrite the value which is assigned to ecx such that ecx-4 will be storing the address that points to our ropchain. In order to achieve this, we need to leak the buffer’s address. We will set ecx to buffer+4 to get esp to point to our buffer which contains our ropchain to call system(‘/bin/sh’).

Let’s check the name buffer before it gets filled to see the addresses we can leak.

The buffer is located at 0xffffd1c0.

Nice, we have a stack address at offset 16 and we also have the address of setbuffer+11 at offset 24. In order to calculate the buffer address, we need to know the offset from the address we leaked. Let’s set a breakpoint on the final read to find out the buffer address.

The buffer is located at 0xffffd22c which is 0x64 bytes away from the address we leaked. The offset is -0x64.

Now, we need to find the offset to overwrite ecx. I will use De Bruijn pattern to calculate the offset.

The offset is 80, now we can create our exploit. We will use the address of setbuffer+11 to calculate the base address of libc. Then, we will create a ropchain to call system(‘/bin/sh’).

Here is my code in python.

Notice that I read the address from offset 20 instead of 16. It is because of the format string “Hey %s”. It prepends 4 characters to our name before printing it back. That’s why we shifted our offsets 4 bytes ahead.

Let’s run the script and get our flag.

Here we have hxp{b4bY’s_2nd_pwn4bLe}.