WolvSec CTF: pwning canaries

Another writeup for a pwn CTF challenge! In this challenge, we need to leak the canary value via format strings, and do a buffer overflow to change the return address to the desired function.

The program

The buffer for us to overflow is 16 characters long. It first reads in data with a format string, and prints the value out. Next it asks for an overflow value, which is the second part of the attack. Let look at how to get the canary value first.

If we enter %x as an input, we get a hex value. Looking at IDA, this corresponds to the value on the stack.

Value pulled from the stack

If we step through the program, we see the value of the canary that it is comparing against. We reference back to the stack to see the what the offset is from the first value

the canary value in EAX, which is AA1C8C00
looking at the stack, it is 11 places away from the first value of the stack

We can’t simply write %x 11 times like this %x%x%x%x%x%x%x%x%x%x%x, as it will overwrite the values on the stack, and also overwrite the canary value. Hence we have to use a positional argument to get the 11th position on the stack: %11$x

pulling out the 11th item on the stack, which is the canary value
double checking if the value is the same in EAX, which it is!

Knowing the overflow amount and the stack canary, we just need to get the address of the print_flag function via gdb

Stringing everything together with pwntools. We needed to add more \xaa to overflow the EBP and some other stuff to get the print_flag address into the RET space

pwntools stuff

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: