Note: All the related files that are mentioned in this post can be found here.
Category: Pwn
The task:
Analysis
We were given a binary and a C file with partial source code:
The source code of vuln()
was provided and has a buffer overflow with a static stack “cookie”, but safeguard()
’s source was not provided.
When reversing the binary, it looks like the safeguard
function is calling handle_cmds
.
The handle_cmds
function has a call system@plt
gadget but when trying to jump there directly - we’ll get a SIGSYS
(probably because the binary has some ptrace monitoring). In the beginning I thought the task was to bypass the ptrace stuff. But after the CTF ended I realized I missed a very important hint that the challenge author left in the source code.
The correct solution: handle_cmds
is “intercepting” the int3
syscall and expects special parameters.
What we needed to do is to execute the int3
instruction with 0x1337
and 0x31337
parameters, this is why the challenge author added a comment in bof.c
:
The int3
instruction triggers the handle_cmds
function which checks whether the parameters are correct (0x1337
and 0x31337
):
If they are correct, it will execute /bin/cat /app/flag.txt
.
Exploitation
To exploit this bug: shift the stack accordingly & create a ROP chain that will:
- Populate the registers (just like in the hint the challenge author left us in
bof.c
) - Jump to another gadget which executed
int3
Exploit:
Output: