Secret Note [PWN]

Format String and Stack Overflow :)

Chall

Let`s Decompile The Program

Main Function

1- Line: call get_name() Function

2- Line: used puts to print some data

3- Line: used gets to get some input from User < gets function its vulnerable a stack overflow

4- Line: used puts to print some data

Now Let`s Decompile get_name() Function

1- Line: used puts to print some data

2- Line: used read to get some data from user

3- Line: used printf to print some data

4- Line: used printf to print the username but he didn`t use Format Specifier to To avoid the Format String vulnerability

Now let's find out what protections are enabled in the program

found there all protection are enabled in the program

now let`s Build Exploit Plan

Exploit Plan

First Use format string to Leak Canary value And PIE Base

Second Use puts to leak ASLR and use system to execute "/bin/sh"

Time To Leak!

The Canary Value is in %13$p

and The Second Address is of main+97 that make me get the PIE Base

now We Build Script To Help Me with Leaks

after leak use the PIE Base to get the real address of assembly instructions you need like pop rdi or ret

pop rdi: move the top address in stack to rdi register.

ret: transfers control to the return address located on the stack.

Leak ASLR

after you get real address of function and bypass PIE & Canary Now Let`s use puts() To Bypass ASLR And Get The Real Address of Libc

First There are two types of programs in Linux: statically linked and dynamically linked

What is statically linked ?

Is that the program copies all the functions it needs and everything without the use of an external library.

What is dynamically linked ?

When the program is saved in the contents of external libraries it needs RAM

Example Use an example to make the information easier when you use some information that uses a function that is part of the C system A library found in GNU / Linux systems called the GNU Libc Library and find out where the program uses in jump table mode and poniter puts a function from the compiler to call when the program is running

The address of the libc is changed due to ASLR protection, the program how knows the address of the libc to use some of the functions it needs? This is where the Global Offset Table (GOT) and Procedure Link Table (PLT) come in.

Global Offset Table GOT: Inside it is the address of the function we want to use and when we jump to it with PLT, the function will be run

PLT: It is responsible for calling the required function while the program is running or when it is not knowing and jumping to puts@got which contains the real address of the puts function

when the ASLR is Enabled

move puts@got address to rdi and move puts@plt to rip to execute puts and add puts@got as Argement to puts(puts@got), And Why put it in rdi ?

In an x64 system, the Argements are placed in Registers instead of Stack from 1 to 6 in Registers like this RDI, RSI, RDX, RCX, R8, R9

The Offset To Control RIP is 56 bytes

Now let`s Build The Script

after you get the real address of libc base return to main to complate the attack and execute "/bin/sh

Now We Have All things we needed to launch ret2system Attack

ret2system

Now Let`s Run The Script

is Worked! 🎉
Previousfno-stack-protector [PWN]NextRiddler CTF 2022 [AR]

Last updated