This write-up is made by boogy of the on_est_pas_contents ctf team
This was an cool challenge which was worth 1 point. But nevertheless we enjoyed solving it. The binary is 32bit and striped:Fuzzing around with the binary before eaven reverse enginnering it, we sat that there is a format string vulnerability in the function that echos out the user input.
The problem here is that the buffer only accepts 13 bytes of user input so it's not possible to craft a correct format string payload and overwrite stuff. We need to reverse engineer the function that takes the user input and find out where the size variable is.
I'll not paste all the functions here to save some space but here is the function which is important to us, that prints the user input:
We can see that the size variable is by default 13 bytes. What is important to note is that the binary checks if the buffer length does not exceed 1023, which means that even if we rewrite the size we can't go more than 1023.
So how do we bypass the 13 bytes restriction and change it to the maximum size 1023? Well with format strings you have a write what where condition. After some gdb foo we can see the stack layout:
So the stack looks like this:
- %1$x -> 0xd
- %2$x -> 0xa
- %3$x -> 0x0
- %4$x -> 0xd
- %5$x -> pointer to our buffer (first char in "AAAA" on the stack)
- %6$x -> 0x0
- %7$x -> start of our input "AAAA"
We can also verify it by giving a %p to the binary as input to leak stack values:
The first 0xd is 13 in hex so this is the buffer default length. So how can we override it ? That's simple, with the format strings we can leak the buffer address and then calculate the address of the size on the stack then we write to that address.
Here is the final exploit:
Running the exploit we get a shell
No comments:
Post a Comment