search
MathematicsCryptography

PIE Bypass

Using format string

hashtag
The Source

file-archive
3KB
pie-fmtstr.zip
archive
arrow-up-right-from-squareOpen
PIE + Format String - 32-bit
#include <stdio.h>

void vuln() {
    char buffer[20];

    printf("What's your name?\n");
    gets(buffer);
    
    printf("Nice to meet you ");
    printf(buffer);
    printf("\n");

    puts("What's your message?");

    gets(buffer);
}

int main() {
    vuln();

    return 0;
}

void win() {
    puts("PIE bypassed! Great job :D");
}

Unlike last time, we don't get given a function. We'll have to leak it with format strings.

hashtag
Analysis

Everything's as we expect.

hashtag
Exploitation

hashtag
Setup

As last time, first we set everything up.

hashtag
PIE Leak

Now we just need a leak. Let's try a few offsets.

3rd one looks like a binary address, let's check the difference between the 3rd leak and the base address in radare2. Set a breakpoint somewhere after the format string leak (doesn't really matter where).

We can see the base address is 0x565ef000 and the leaked value is 0x565f01d5. Therefore, subtracting 0x1d5 from the leaked address should give us the binary. Let's leak the value and get the base address.

Now we just need to send the exploit payload.

hashtag
Final Exploit

hashtag
64-bit

Same deal, just 64-bit. Try it out :)

file-archive
3KB
pie-fmtstr-64.zip
archive
arrow-up-right-from-squareOpen
PIE + Format String - 64-bit

Last updated

Was this helpful?