Please read the disclaimer

Hello, in this post I will talk about an exploitation challenge from WPICTF, I participated alone in it and I was ranked top 22 just by pwning stuff xD.

There was 4 levels for this challenge all based on stack exploitation, the difficulty was raising in each level + 1 which means more protections to bypass :D, so let’s start from level1.

1) Forker.Level1:

forker_level1_reverse0

So our binary initiat a server using sockets, then waits for a client to connect, when it does it calls fork function, and then runs check_password function, let’s check this latter one.

forker_level1_reverse1

Just a simple buffer overflow, we have our buffer at BP-0x50 and our index counter at BP-0x04, to be able to buffer overflow we have to make sure we don’t overwrite our index_counter with junk, so in short we have to write 76 junk bytes + 8 bytes which represents our index + 4 other junk bytes.

Running checksec shows the following:

forker_level1_checksec

simple task right, well not so fast we still have a problem to deal with, so in short we can successfully call system and pop a shell, cool, but how are we gonna send commands to it and receive its output? it only reads from STDIN and writes to STDOUT haha…, here comes the savior dup2 function, let’s check its manual.

forker_level1_dup2

Yeah!, we can use this cool function to make a I/O redirection.

so let’s build a rop that calls dup2 to set the correct redirection for input/output, then call for system.

Here is my exploit

2) Forker.Level2:

forker_level2_reverse0

Let’s checksec

forker_level2_checksec

In level2 we have to bypass Stack-Smashing Protector

Note : when a binary forks it self, the child inherit canary from its parent, it also inherit the loaded in a location address if PIE is enabled

The best and easy solution would be to bruteforce the canary byte by byte then overwrite the return address with a rop that pops a shell.

Here is my exploit

3) Forker.Level3:

forker_level3_reverse0

let’s checksec

forker_level3_checksec

This getting harder and harder, now we have to bypass PIE protection too, my solution was also to brute force the return address.

Checking the assembly code

forker_level3_reverse1

We see that before returning to main, it pops a value from the stack to a global variable named client_sockfd which is our file descriptor of our connection, so we have to make sure to set its correct value when buffer overflowing.

Here is my exploit