Category: Baby's First
64 bit ELF. No stack guard, but it has NX & PIE protection.
The service will give you a menu first:
Welcome to an easy Return Oriented Programming challenge...
1) Get libc address
2) Get address of a libc function
3) Nom nom r0p buffer to stack
Th first one will print out the
libc.so.6's address, which contains the real libc base address. The second one will ask you to input a libc function's symbol, and print out the function's address. The third one will ask you to input a number(string length) and a string.
After we check the binary with IDA Pro, we found the following informations:
Our input will be stored at
nptr first, then it'll be memcpy to
savedregs. Let's check the location of
Right on the
So everytime we choose
3) and input something, it'll be copy to
rbp, which means we can overwrite the return address. Since the binary has the NX protection, we better try the return-2-libc attack.
The key point is to find a useful gadget. At first I try to leak the libc's base address, and attempt to guess the libc's version so I can calculate the
pop rdi, ret gadget. But I end with failure, since there's no other memory leakage vulnerability. At this moment, my teammate bananaapple propose a solution: How about we find a gadget that's inside a function?
For instance, if we want to find a gadget
pop rdi, ret, since
pop rdi, ret =
5f c3 in machine code, we'll just have to find a functions that contains 2 bytes data
5f c3, then we can calculate the offset and get the gadget's address.
Using the aforementioned method, we quickly found that
5f c3 was at
_IO_proc_open + 0x34d and
/bin/sh was at
_libc_intl_domainname + 0x0242. With these informations, we can now construct a ROP chain and exploit the service:
W3lcome TO THE BIG L3agu3s kiddo, wasn't your first?