Molotov
A ret2libc with a given leak
Running the binary prints and hex value and prompts for input:
We can definitely cause it to segfault:
So let's work out what this value is and how we can use it.‌
‌
We chuck the binary into GHidra and get a simple disassembly. main calls vuln and does almost nothing else. vuln, however, has some interesting stuff:
‌
It prints the address of system! Awesome.‌
Let's run the binary on the remote serevr to leak the libc version.
‌
So now we essentially have a libc leak, we head over to .
Annoyingly, there are 4 possible libc versions, and we can only get it from trial and error. Aside from the libc version itself, the exploit is quite simple - subtract the offset of system from the leaked address to get libc base, then use that to get the location of /bin/sh.
The correct libc version is 2.30-0ubuntu2.1_i386.‌
