0ctf FlagGenerator writeup

FlagGenerator was an exploitation challenge worth 250 pts on 0ctf[1]. We are given the binary[2] and it's libc[3] file. Let's start.

1: https://ctf.0ops.sjtu.cn

2: http://dl.0ops.net/flagen

3: http://dl.0ops.net/libc.so.6

Let start from main and see what's going on

we show the calls and we check getinput function. This function is responsible for viewing the options and selecting one which has a psudeo-code

so we start checking each of the options above and we find that #4 the leetify function 0x80488c6 is vulnerable. When the function recieves char 'h' or 'H' it goes to 0x0804895a which is vulnerable.

what happens above is that when 'h' or 'H' are read they are converted to '1-1' so they generate 3 bytes instead of all the other cases 'aAzZlLoO..' which read 1 and generate 1 byte. This without checking the size can cause an overflow in src..

so if dst was 256 bytes and src can only hold 256 then if all dst content is 'h' or 'H' then the src will hold 256*3 bytes which will overflow. This binary is compiled with canary so cookie which will be overwritten will cause a call to __stack_check_fail.

So the exploit is

The way we build this exploit is first we jump to this gadget

This will allow us to set the esp to a controlled buffer so we can ROP more. We used puts at 0x08048510 to print content at 0x0804b004 which is the beginning of got.plt+4 section. We need this information. We find that leaked addresses are in this format.

we calculate an offset for this address to &system and to string /bin/sh in the given libc. The offsets found are fixed by -1648552 to get to system from the leaked address at 0x0804b004 and by -1648552-0x2e9ce to /bin/sh from the leaked address. Then we use this information to call system("/bin/sh") by bruteforcing. Exploiting multiple times. Because we know at some point these

addresses will be true and the code will be executed. So we run the exploit many times and we get this .

Proxied content from gemini://0x80.org/gemlog/2015-03-30-0ctf-flaggenerator-writeup.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
Status code