Note: All the related files that are mentioned in this post can be found here.
Category: Pwn
The task:
This challenge required us to overcome binary protections such as NX, Stack canaries and ASLR.
Analysis
We were given a binary(./canned
) and a remote host(which, runs this binary).
What are we working with:
- The binary has a format string vulnerabillity
- It also has a buffer overflow
- The binary has
PIE
disabled, meaning that the GOT/PLT has a fixed address.
Obstacles:
- The binary has NX protection enabled
- Stack canary protection is also enabled(libc’s
FORTIFY
stuff) which preventsRIP
takeover via the stack. - The address of libc is randomized(ASLR) so we cannot know where to jump even if we manage to leak the stack canary and takeover
RIP
. - We don’t know the version of libc on the target server
Solution
- To overcome the stack canary and skip the libc’s
** stack smashing detected **
error, we can use the format string vulnerabillity and leak the stack cookie. - To overcome NX: we’ll perform a ret2libc attack
- To overcome libc’s ASLR: we’ll leak the GOT entry of
puts@plt
using a ROP gadget.- After getting a leaked libc
puts
address, we can determine the libc version which the server is running using tools like libc-database - When we get the libc version, we can download a copy of the
libc.so
file and analyze its symbols&offsets to calculate the libc base address on the target server - After getting the base address, it is fairly easy to calculate the address of
system
.
- After getting a leaked libc
- At the end, we’ll make another
ret
tomain
in order to restart the program. - Landing again on
main
, we’ll exploit the buffer overflow one more time, but this time with another ROP chain to perform a ret2libc attack with our known values(address of libc’ssystem
+ leaked canary) to pop a shell.
aaaand
thanks for the challenge :D