We are given a 64-bit binary with ASLR (but no PIE). Looking through the functionality of the binary, it asks us for a name, a desc(which was a malloc-ed chunk of 0x20 size) and then through a menu prompt, let’s us concatenate stuff to this name buffer (which has a
0x80 btw) and to the desc chunk. There is also a win fucntion which simply prints the flag on the screen. So, our objective is simply to call the win function.
One obvious vulnerability was a format string vulnerability in the
main function where
printf(desc) are used. Now, since these buffers are in the BSS and heap section, so a format string was somewhat tricky(You can try that though).
ulong readline(void *param_1,int param_2)
readline function disassembly using Ghidra
main function disassembly using ghidra
Another (not so obvious) vulnerability was in the
readline function which calculated the length of the string as
len = strlen(string) and returned the value
len - 1 . Now in the
main function, when we concatenate something to the name buffer,
maxlen is updated to
maxlen = maxlen - readline(name).
Oh, and one thing to remember, the desc pointer was located just below the name buffer. So, with an overflow in the buffer we could overwrite desc pointer and then edit this modified pointer through the menu. How do we get this overflow?
If we send
\x00 as the name, then
strlen(name) would return
0x0 and the readline function would actually return
-1, this would mean
maxlen = maxlen - (-1) which effectively overflows our name buffer once, repeat this method to increase the
maxlen buffer to say
0x90. Now, we can simply overwrite the desc poiner to point it to a GOT function (I chose the
putchar@GOT for this) and then with the help of edit desc option, overwrite this GOT entry to point to win function.
The entire exploit can then be written as: