The force is with those who read the source.
2016-02-06

## Description

Do you know Stack overflow attack ?
nc pwning.pwnable.tw 48879
binary

## Exploit

There is a straightforward buffer overflow bug of scanf("%s") at 0x850, and as we can see from the output of checksec below, the NX and STACK CANARY is disabled. It seems that we can insert the shellcode and jump to it. However, also shown in the output of checksec, this is a PIE enabled program. That is, with only one time buffer overflow, we can’t decide where the shellcode or any other portion of the program are located.

To deal with this problem, I adopt the brute force attack which makes use of the low entropy of ASLR on 32-bit systems. I choose a possible address of shellcode and run the exploit repeatedly until it successfully return to the shellcode. This wiki page has the information needed for this exploit. According to it, Linux supplies only 19 bits of stack entropy on a period of 16 bytes. It is also verified by random_bits.py, the gdb script which runs the program 20 times to exam the randomness of the address of input buffer where I will put my shellcode.

To further reduce the entropy, I also adopt a 2048-bit nop sled. Under this situation, the probability of jumping to the shellcode is theoretically $\frac{2^{11} \div 2^4}{2^{19}} = \frac{1}{4096} \approx 0.02\%$, which is also consistent to the result of real exploitation.

Flag: CTF{4Slr_!S_w34kn3Ss_0n_x86_3z}

## Note

At first, I thought that the success rate is $\frac{2^{11}}{2^{19}} = \frac{1}{256} \approx 0.4\%$ because I didn’t consider the fact that the lowest 4 bits are not included in the 19-bit randomness. In short, only every extra $2^4$ of nop sled could effectively increase $\frac{1}{2^{19}}$ of success rate. Therefore, we should divide the length of nop sled by $2^4$, and the final success rate is $\frac{2^{11} \div 2^4}{2^{19}} = \frac{1}{4096} \approx 0.02\%$ as shown above.