Molotov
A ret2libc with a given leak
Overview
Running the binary prints and hex value and prompts for input:
We can definitely cause it to segfault:
So let's work out what this value is and how we can use it.
Decompilation
We chuck the binary into GHidra and get a simple disassembly. main
calls vuln
and does almost nothing else. vuln
, however, has some interesting stuff:
It prints the address of system
! Awesome.
Let's run the binary on the remote serevr to leak the libc version.
So now we essentially have a libc leak, we head over to find the libc version.
Annoyingly, there are 4 possible libc versions, and we can only get it from trial and error. Aside from the libc version itself, the exploit is quite simple - subtract the offset of system
from the leaked address to get libc
base, then use that to get the location of /bin/sh
.
The correct libc version is 2.30-0ubuntu2.1_i386
.
Exploitation
Last updated