Dragon write-up

I will go through all steps needed to exploit the dragon challenge on pwnable.kr.

This is a remote challenge, so first we need the provided binary for analysis.

after downloading we check the filetype and run it a couple of times.
Also let it create a core dump if it crashes.

After some manual fuzzing we get the desired result; a crash. This looks like we got control.
So let’s open up GDB and check were we would’ve returned.
Don’t forget to load the core.
And look closely….

So upon closer examination we see that our return address consists of our last Input.
AAAA = 0x41414141 ( when thinking in hex )

Now we’ve got control over eip, but what can we do with it ?
We can’t do ret2stack because we just control the eip and nothing valueable would be there.
ROP is not possible because we can’t fake stack frames.
writing to dtors or got is not an option either…

Well then let’s see if we can reuse code of the binary.
Let’s check for the symbols in the binary.

Ah at the end we see the magic call “system()”.
So, the last thing we need is a string to “/bin/sh”.
Let’s check the binary in GDB for the call “system()”.

We see a call to a strange “SecretLevel”, so let us check that.

Wow, there is the system() call.
And just above the system() call something is moved to the stack…
I wonder what that could be….

Jackpot. This is our return address:

RET = 0x08048dbf

so now we’re going to develop our exploit code in python…

Finally test the exploit code and launch it against pwnable.kr’s server.
Don’t forget “cat” to keep our freshly spawned shell alive.

Wohoo, so our exploit works perfectly :-)

Lets launch it against their server and get that flag!

this will spawn the desired shell, so you’re able to view the flag :-)

I hope you liked this write-up!
A pretty simple challenge from pwnable.kr, which gives you 75 pts.
Feel free to write a comment or even contact me if you want to talk about security related stuff.

Carl Smith

Leave a Reply

Your email address will not be published. Required fields are marked *