32 bit ELF, with no NX, PIE, RELRO protection. The program will first use
mmap to allocate a range of memory and treat it as a shadow stack, which stores the function return addresses.
In the main function the program first ask us to input our name (the buffer was placed in the .bss section), then give us two choice:
- Add a beer. This one will first ask us to input the beer description length, then let us input our own beer description.
- Read/Modify beer desription. Here we first choose one of our beer, and the program will print out the beer description. After that we can choose if we want to modify the beer description or not.
So where's the vulnerability? The program has
malloc in the add beer function, but it doesn't have
free in the entire program, so it's probably not UAF. There's a stack overflow in the beer description function though, but the binary has enabled the stack guard protection, so it's kind of hard for us to bypass the canary check. But then I took a good look at the beer description function, and found that we can call the function recursively, by keep entering an invalid choice. This will cause the shadow stack keep "growing up".
And how's that gonna help us to exploit the service? Well, first of all we know that the
malloc function in libc will call
mmap instead for the large size memory allocation ( over 0x20000 bytes). Since the add beer function use
malloc to allocate memory for our beer description, we could try to create a super long beer description. This will make
mmap instead, and the allocated memory page will be placed just right before the last mmap memory page, which is the shadow stack. If we can make the shadow stack keep "growing up", it will eventually overlapped with the memory page of our beer description. Since we can control (modify) the beer description, we can then modify the saved return address and change it to the
name buffer, which we input our shellcode instead.
After I finshed my exploit, I found that it will timeout due to the crappy internet connection, so I have to upload my exploit to trello and ask my teammate freetsubasa to send the payload for me XD
Anyway the flag is: