I am trying to exploit a buffer overflow from TryHackMe > PWN101 > pwn107.
The exploit uses a format string vulnerability to leak both the canary and a dynamic address so that we can calculate the address to get_address() aka. our win function (which contains /bin/sh), and hijack the return address. We must also overwrite the canary with itself.
I am writing my exploit in python, using pwntools and debugging using radare2.
The file has PIE, NX and a canary.
I have successfully leaked the canary and the dynamic address of main. (Well I really think it's main because it displays in radare2 as:
0x7ffd3045a928 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
I can successfully overwrite the canary as I do not receive a "stack-smashing" error.
By sending a format string of "%13$lx.%17$lx", our stack looks like this:
[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125 %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731 17$lx...
0x7ffd3045a8e0 0x0000000000000002 ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff ........ 260832255
0x7ffd3045a8f0 0x00007ffd3045ad29 ).E0.... [stack] stack R W 0x34365f363878 x86_64
0x7ffd3045a8f8 0x0000000000000064 d....... 100 ascii ('d')
0x7ffd3045a900 0x0000000000001000 ........ 4096
0x7ffd3045a908 0xd0f326fd5de89c00 ...].&..
0x7ffd3045a910 0x0000000000000001 ........ @ rbp 1
0x7ffd3045a918 0x00007f5b1f029d90 ....[... /usr/lib/x86_64-linux-gnu/libc.so.6 library R X 'mov edi, eax' 'libc.so.6'
0x7ffd3045a920 ..[ null bytes ].. 00000000
0x7ffd3045a928 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a930 0x000000013045aa10 ..E0.... 5104839184
0x7ffd3045a938 0x00007ffd3045aa28 (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a940 ..[ null bytes ].. 00000000
0x7ffd3045a948 0x30f586575c89a646 F..\W..0
0x7ffd3045a950 0x00007ffd3045aa28 (.E0.... [stack] r12 stack R W 0x7ffd3045c3d6
0x7ffd3045a958 0x0000560418400992 [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text main,main,r13,r9 main program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a960 ..[ null bytes ].. 00000000
*** deleted irrelevant lines***
Our canary is at: 0x7ffd3045a908 return address at: 0x7ffd3045a918 the address of main() that we will leak to bypass PIE is at: 0x7ffd3045a928
Then after successfully leaking the canary and address of main(), our stack looks like this:
[0x560418400a36]> pxr @ rsp
0x7ffd3045a8d0 0x252e786c24333125 %13$lx.% @ rsp ascii ('%')
0x7ffd3045a8d8 0x00000a786c243731 17$lx...
0x7ffd3045a8e0 0x0000000000000002 ........ 2
0x7ffd3045a8e8 0x000000000f8bfbff ........ 260832255
0x7ffd3045a8f0 0x4141414141414141 AAAAAAAA @ rsi ascii ('A')
0x7ffd3045a8f8 0x4141414141414141 AAAAAAAA ascii ('A')
0x7ffd3045a900 0x4141414141414141 AAAAAAAA ascii ('A')
0x7ffd3045a908 0xd0f326fd5de89c00 ...].&..
0x7ffd3045a910 0x4242424242424242 BBBBBBBB @ rbp ascii ('B')
0x7ffd3045a918 0x00000000000006fe ........ 1790
0x7ffd3045a920 0x000056041840094c [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text get_streak sym.get_streak program R X 'push rbp' 'pwn107.pwn107'
0x7ffd3045a928 0x000056041840090a [email protected].. /home/ceej/tryHackMe/pwn107/pwn107.pwn107 .text sym.setup program R X 'add eax, 0xfffe10e8' 'pwn107.pwn107'
*** deleted irrelevant lines***
As you can see, the canary was properly overwritten, rbp overwritten, a ret gadget (for stack alignment) and then we properly hijacked the return address. So why isnt a shell being popped?