https://codeby.games/categories/pwn/d452cdbb-c9cb-4aa1-9d25-3be6bf171223

1. Vulnerability detection

Since the program accepts user input it’s wise to check it for buffer overflow.

The BOF is obvious here and we have overridden RIP register

2. Offset calculation

IDA Pro shows that there is a function called enter_name that creates a local variable *buf *****that is located at rbp-16 offset. Hence, to override RSP we add 8 bytes (since it was compiled for x86-64 arch).

To confirm that, we run a gdb session that inputs 24 bytes of garbage and 8 ‘z’ characters.

run < <(python -c "print('A'*24+'zzzzzzzz')")

As we can see, RSP was successfully overridden with our payload of 8 ‘z’ chars. The program terminates because RSP contains invalid value. The ret pops the first value from stack and places it into RIP.

3. Leaking addresses

Since we know that we can easily control the RIP, it’s time for us to think how to harness that power meaningfully.

First we check the defense of the file

$ checksec ./task
[*] '/home/delinester/Desktop/task'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

The executable has NX bit enabled meaning that we cannot overflow the buffer with shellcode and run it

ROP and ret2plt technique

Our next step is to check whether we have all necessary “gadgets” to pwn the machine. Observing the file with IDA, we can conclude that one possible option is to call system(/bin/sh) command which is located in libc dynamic library.