Challenge example

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 1024);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The binary is compiled without PIE and is served using the serve.c code

The serve.c code will not be explain here.

It will just serve the binary over a socket and make a fork of it to handle multiple connection at a time.

The buffer overflow occur during the authentication function at line 19 :

Exploitation

Using the stack reading technique is possible to retrieve the canary value and then reuse it and overwrite RIP to jump to the admin function.

Exercice

If you want to try this exploit by yourself, you can pull this docker image :

Deploy the image using the followed command :

Access to the web shell with your browser at the address : http://localhost:3000/

PreviousStack readingNextFormat string

Last updated