Lorenzo La Corte - 2023/2024 - Università degli Studi di Genova
<aside> 💡 Link to the web version (more readable): https://llacorte.notion.site/BASC-Assignment-4-Exploitation-d5f2834dc9974e3593b02ca7b14a2aaf?pvs=4
</aside>
This report provides descriptions of exploits for different challenges:
| Challange | Vulnerability | Mitigations - requirements - constraints - limitations | Possible Exploitation | Exploit |
|---|---|---|---|---|
| Call Me | Buffer Overflow | Overwrite the return address and return to print_flag |
Link | |
| Call Me | Buffer Overflow | - No gadgets for calling execve (not possible to do return-to-system ROP chain attack) |
target is not on the stack | Use user_input buffer to point to target and inject a value in it. | Link |
| Really Optimized Primality-Test | Buffer Overflow | | Overwrite the return address and use a return-to-system rop chain attack to spawn a shell. | Link |<aside> 💡 As the name suggests, you should probably call some function (with the correct arguments) to make the service print a flag. Are there any other flags? Maybe...
</aside>
Let’s start analyzing it:
$ file call_me_LorenzoLaCorte
call_me_LorenzoLaCorte: ELF 32-bit LSB pie executable, Intel 80386, ... stripped
Is a 32-bit stripped executable; when I run it, it keeps asking me for input:
$ ./call_me_LorenzoLaCorte
Enter line #1: lax
Enter line #2: lax
Enter line #3: lax
Enter line #4: lax
Enter line #5: lax
Enter line #6: lax
Enter line #7:
After identifying the entrypoint, I can take a look at the main function, which:
setvbuf calls to configure the stdin, stdout, and stderr to have no buffering: the buffer will be flushed whenever a newline character is encountered.all_the_logic,file system errors).all_the_logicThe function is enclosed in a while (true) loop that continues until a break condition is met.
The loop is probably comparing user input with an array of strings:(&PTR_s_Color_me_your_color, _baby_00014020).