Skip to content

CSAW 2015 pwn250 – contacts

contacts pwn-250 CSAW 2015

The binary has a lot of vulnerabilities actually, but I will use a string format vulnerability to leak and exploit the binary.

The function at the following address .text:08048BD1 is used to print the contact details. The assembly of the function is:

We can see that at   .text:08048C22  the function takes our input (contact description) and used as format for the printf function. This is an obvious string format vulnerability.

SO I can use this vulnerability to leak any address from the stack. That is good because we will use it to leak addresses of mapped libc functions.

To exploit, I need to have my buffer in the stack so that I can point to the location I want to overwrite its value and then use %n or %hn to write 4 or 2 bytes respectively. The contact is a struct object

Both addresses of description and phone are on the heap. Actually nothing is on the stack other than the length_desc. If I used length_descr = 0x41414141 it will be on the stack 9th value on the stack.

Screen Shot 2015-09-23 at 5.48.32 PM_
Ok great. Now I have read/write-what-where primitive

Exploitation 

The binary has NX enabled so probably we will use ret2libc. ASLR was enabled so we should leak the address of a function in libc and then calculate the address of system() function accordingly. Checking the other variables in the stack using the string format vuln, I found that at offset 31 the address of __libc_start_main_ret. In my exploitation I will overwrite the GOT entry of free() function with system. This makes the exploitation much easier. The free() function recieves the address of the description of the contact. It is called that way
free(contact.address); 
If I managed to replace free() with system, then all I need to do is to have my “/bin/bash” in the description and try to remove that contact. It will then call
system(contact.address) 

The GOT address of free is at  0x804b014

To exploit, I followed the following steps
1- Create a contact to leak the address of __libc_start_main_ret
2- Calculate the address of system
3- Create contact to write the first two bytes in free() GOT address using %hn
4- Create contact to write the second two bytes in free() GOT address using %hn
5- Create a dummy contact with description “/bin/sh”
6- Remove the dummy contact shell will pop up

 

Screen Shot 2015-09-23 at 6.04.06 PM

 

PS: I solved this one after the CTF. I am still practicing pwning :). I just wanted to share it because most of the write-up I read are using two vulnerabilities together or using ROP and exploitation a bit complex. This one is much easier.

 

Published inwriteups

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − seven =