TheCatism

TheCatism

Offensive Security Wannabe

Seal’s Pwn Zero2Hero Stack Challenges - Ret2libc Canary

3 minute read

This was challenge #6 from Seal’s Pwn Zero2Hero.

A source file was provided for this challenge.

7ef7fe1392dffdc0867424f8b4df3cad.png

It’s a binary that prints the contents of user input and then asks for more input.

Vulnerabilities

There’s a format string vuln on line 17. The printf should be printf("%s ", buffer); There’s also a buffer overflow on line 21. It’s using gets() which is a weak function and it lets us put in whatever input we want without checking the length of it.

Mitigations and Bypasses

This binary has a lot mitigations such as DEP, Full RELRO, PIE, a stack canary, and ASLR. To bypass these we will need to leak a libc address and the stack canary using the format sring vulnerability and then rop to call libc’s system function.

e7213043434f251aa8159f21adeebe81.png

Exploitation

Leaking Data

Using this script we were able to leak out some addresses and the stack canary.

58b38b6567e4d17d8d9aa30b9209181f.png

The stack canary was at the 9th index.

7c18b11f387109d93bd179d2371971a1.png

We can use GDB to see which addesses we leaked out belongs to libc. To do this I printed out offsets 1, 3, and 7.

1730a32b81e6e80a972940d79d2969e3.png

It looks like offset 3 is a libc address. To confirm this I just used vmmap in GDB and look for what range the address fell into.

93c6c33773532043b9701c67c28cbc32.png

The address belongs to the cmp instruction in __GI__libc_read which is 18 bytes away from the start of the function.

39eaf5836676b7bd9c4a7b1687c8e42c.png

We can get the libc base offset by substracting the leaked address from the libc base at runtime, which gives us 0x1147e2. Now that we have the base address we can do a Ret2libc

Finding the Offset

Now we can look for the offset we need to overwrite the return address. We’ll need to use pwntools and gdb to do this because the stack canary will currrently prevent us from controling RIP.

First, we’ll need to parse the leak and save the libc address and the stack canary.

e0909c5faf6fff52ff2b11630ffd1c76.png

Next, we need to take a look at the stack. By examining the stack we can see that the canary is 0x18 (24) bytes from the start of our buffer.

c3faab22528ca14599d32abe89a3279a.png

We can confirm this by using a cyclic pattern and making sure that the canary is at the 24th byte. If everything is correct we shouldnt see the stack smashing error.

When we sent the pattern we got a normal segfault.

072a21837c0cdce9d06041efd0198094.png

Now we can search for the pattern that is at RSP and get the offset which is 25.

afdbf45f1de99df6fde7a83c8ea7be1d.png

This doesn’t account for the canary though so it’s really 25 + length(canary) which is 33 since the canary is 8 bytes.

Now that we have control of the instrunction pointer, we can continue developing our exploit.

b0c9231f9388e70a97b4aeb2266652c6.png

Exploit Development

To do the Ret2libc, we will need a pop rdi gadget which we can get using ROPGadget this will pop the /bin/sh string into the RDI register so that it can be used as an argument for system. We may also need to use a ret gadget if the stack gets misaligned.

We could grab the gadgets from the challenge binary, but that would involve using another leak to bypass PIE so instead we’ll rop using the libc.

96a826a60bb774aed8de93ef66d86834.png a622ad9d2fc32cdfc714d4e3a7b1f6e7.png

To use these addresses we will need to add them to the libc base we found earlier.

0c9fe216e01933bfc5a083cef9c3d1d1.png

Now we just need to grab the addresses of the /bin/sh string and system() which is easy since libc is now based correctly.

e027b02822ce7650824c2d1c9c950f40.png

The stack gets misaligned when it gets to the pop rdi gadget so we need to add a ret gadget right before we use the pop gadget.

Solution

After all that running our script gives us a shell and the flag.

fb0d4ed19ac1f0b572a733ab521f91c9.png

Final Script

8b89bba87d4e4e76eff2bce68cac9264.png

You may also enjoy