As a first step, as a good practice, I always analyze the security flags of the binary:
CheckSec
And as we can see, it indeed has PIE (Position Independent Executable) enabled. This means that memory addresses are randomized on each execution and differ from the local ones. We are also given the source code directly, so we donโt need to analyze it with ghidra. As we can see, it leaks the address of the main function:
1
printf("Address of main: %p\n",&main);
This program takes an address as input and performs a jmp (jump) to that address. Reading the source, there is a function called win that reads the flag.txt file where the flag is stored. However, this function is obviously not called, we need to use the jmp to jump to the function via its address, and since we know that the distance (offset) between two functions is fixed, we can calculate it locally and then, once we get the address of main remotely, subtract the offset and consequently jump to the win function containing the flag.
๐ฏ Solution Path
Exploitation Steps
Initial setup
As a first step, I calculate the local offset by doing main address - win address. I did it directly from pwngdb with the command p/x &main - &win:
Offset
As we can see, the offset is 0x96, let’s proceed with the exploitation.
Exploitation
I then connected with nc and obtained the address of the main 0x56a08049a33d. Then I opened pwndbg again and ran p/x 0x56a08049a33d - 0x96 to calculate the address of the win function, obtaining: 0x56a08049a2a7. Once entered as input when asked for the address we want to jump to, I obtained the flag.
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
The exploit uses pwntools and regex to extract the address of the main, calculate the offset, and send the address of the win function as done previously. Then it extracts the flag from the response using a regex and prints it.
