- Out-of bounds index write allows byte-by-byte overwrite of return address
After millions of bugs, all my homies hate C.
We are given a C++ binary, along with libc and libstdc files.
The mitigations enabled on the binary were as follows:
On reversing the binary, we found out that it had a 10x10 grid, and the binary had two main functions: one to insert a character into the grid, and one to display the grid. A loop was also present, which allowed us to insert/display values 100 times.
After reversing, it was pretty clear that there was no index check on the
insert function, allowing us to insert at any location. Also the
display function copied our current grid onto the stack, thus allowing us to potentially overwrite any value on the stack.
for ( x = 0; x <= 99; ++x )
From this, it was evident that we could write one character at a time onto an arbitrary location on the stack, thus allowing us to potentially overwrite both the return address, and the loop checker variable. This also allows us to bypass the canary, and directly overwrite the return address.
On further examination of the stack during the display function, it was obvious that the grid was not initialized, so displaying the grid allowed us to leak addresses off the stack.
Great! We got a libc leak, all that was left was to calculate the grid offsets (as it was 10x10, and addresses are 8 bytes long), and our exploit was complete!
The plan for the exploit was as follows:
- Leak libc addresses off the stack using
- Overwrite the return address byte-by-byte with our ropchain (to call
- Overwrite the checking variable with a value greater than 100 (0x64), to exit the loop
displayto push the new grid onto the stack, completing the overwrite
from pwn import *
Running this exploit gives us the flag!
d4rk_kn1gh7 @ BatMobile python grid.py