search

Challenge example

hashtag
Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 1024);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The binary is compiled with both PIE and Stack canary and is served using the serve.c code

circle-info

The serve.c code will not be explain here.

It will just serve the binary over a socket and make a fork of it to handle multiple connection at a time.

The buffer overflow occur during the authentication function at line 19 :

hashtag
Exploitation

Using the stack reading technique is possible to retrieve the needed values and then reuse it and overwrite RIP to search gadgets.

Bropper arrow-up-rightcan be used to do it

hashtag
Exercice

If you want to try this exploit by yourself, you can pull this docker imagearrow-up-right :

Deploy the image using the followed command :

Access to the web shell with your browser at the address : http://localhost:3000/

PreviousBlind Return Oriented Programming - BROPNextCall Oriented Programming - COP

Last updated