-->
Writeups for Cyberthon 2023 Pwn challenges
This challenge is a simple format string read and write. In this case, full RELRO is enabled so we can’t overwrite the GOT. We can leak a stack address and use it to calculate the address of RIP.
This challenge is also a format string challenge using snprintf
. The binary
checks if the parsed format string contains a “username-password” pair that was
randomly generated, then checks if the string ends with “:y”.
The generated pairs are stored in the heap. We can use %s to get a username:password pair since there are addresses on the stack pointing to the generated strings.
Since the binary appends :n to the end of our string, we need to somehow get
rid of it. snprintf
takes an integer argument to indicate how many characters
to write to the output string. Extra characters after 0x80 are truncated, hence
we can use %c to push :n out of the string and put :y just before it.
In this challenge, our goal is to leak the seed and hence guess the password the binary generated.
In IDA, we can see that the seed is located in bss. In addition, session
and
dest
are located above the seed in bss too. Our input to the binary is stored
in dest
, while the generated password is stored in session
.
We also have a one-byte overflow in strncpy
when the binary reads in our
name. Using this, we can overwrite the null byte between dest
and seed
,
hence leaking the seed. Then, we can use the seed to initialize rand()
and
generate the same password as was generated in the binary.
This is a Windows ret2win challenge. Most of the challenge is actually just red herring/serves to make the challenge more approachable but tedious. We can use IDA to analyse the executable.
In essence, the vulnerability is a buffer overflow in static region that allows
us to modify a reference to a error handler function, and change it to the win
function. There’s only 1 strlen
check to pass which we can easily bypass
using null bytes.
This challenge involves overwriting the GOT using an array OOB. I struggled a lot with trying to find a good function to overwrite, because the write is per 5 bytes and might overflow into other functions. Hence a good function must be chosen to prevent the binary from crashing as we win the game and call our win function.
The entire GOT is as shown below:
gef➤ got
GOT protection: Partial RelRO | GOT functions: 27
[0x404018] has_colors@NCURSES6_5.0.19991023 → 0x401030
[0x404020] putchar@GLIBC_2.2.5 → 0x401040
[0x404028] wbkgd@NCURSES6_5.0.19991023 → 0x401050
[0x404030] newwin@NCURSES6_5.0.19991023 → 0x401060
[0x404038] curs_set@NCURSES6_TINFO_5.0.19991023 → 0x401070
[0x404040] puts@GLIBC_2.2.5 → 0x7ffff7db9ed0
[0x404048] wborder@NCURSES6_5.0.19991023 → 0x401090
[0x404050] wgetch@NCURSES6_5.0.19991023 → 0x4010a0
[0x404058] noecho@NCURSES6_5.0.19991023 → 0x4010b0
[0x404060] setbuf@GLIBC_2.2.5 → 0x7ffff7dc1060
[0x404068] system@GLIBC_2.2.5 → 0x4010d0
[0x404070] printf@GLIBC_2.2.5 → 0x7ffff7d99770
[0x404078] initscr@NCURSES6_5.0.19991023 → 0x4010f0
[0x404080] wrefresh@NCURSES6_5.0.19991023 → 0x401100
[0x404088] start_color@NCURSES6_5.0.19991023 → 0x401110
[0x404090] keypad@NCURSES6_TINFO_5.0.19991023 → 0x401120
[0x404098] wattr_on@NCURSES6_5.0.19991023 → 0x401130
[0x4040a0] getchar@GLIBC_2.2.5 → 0x7ffff7dc0b60
[0x4040a8] mvprintw@NCURSES6_5.0.19991023 → 0x401150
[0x4040b0] init_pair@NCURSES6_5.0.19991023 → 0x401160
[0x4040b8] wmove@NCURSES6_5.0.19991023 → 0x401170
[0x4040c0] __isoc99_scanf@GLIBC_2.7 → 0x7ffff7d9b110
[0x4040c8] waddch@NCURSES6_5.0.19991023 → 0x401190
[0x4040d0] printw@NCURSES6_5.0.19991023 → 0x4011a0
[0x4040d8] exit@GLIBC_2.2.5 → 0x4011b0
[0x4040e0] endwin@NCURSES6_5.0.19991023 → 0x4011c0
[0x4040e8] wattr_off@NCURSES6_5.0.19991023 → 0x4011d0
endwin
would have been a good candidate to overwrite, since it has a lot of
not so useful functions after it (exit
, printw
). But the win function
itself also calls endwin
, and after I managed to overwrite endwin
safely I
realized that it would result in infinite recursion. If I tried to skip past
the endwin
call, it would result in stack alignment issues.
Hence, the next best function to overwrite was exit
. However, to write
completely to exit
, it’s necessary to overwrite the last byte of endwin
. At
the point of our write, endwin
hasn’t been resolved yet, so the last byte is
always 0xc0. Besides that, the rest of the payload should be fairly
straightforward: