spirited_away is a ELF 32-bit LSB executable binary. We quickly figured out the function
We found the variable in function
survey named cnt which is a global variable. This variable use for counting guests.Then we find the string concatenation in function
survey on address
0x080487CC. The code concatenates %d comment so far. We will review them as soon as we can and global variable
cnt and stored in stack with 56 Bytes.Things become interesting,
comment so far. We will review them as soon as we can already 54 Bytes. It means that if we have 10 guests buffer overflow will occur.We also find that if we have 100 guests, the last latter
n will overwrite the local variable
len_60 using for limiting input length. The value of the variable will be overwritten to 110 (ASCII n).It means we can input 110 Bytes in
comment.That will cause another buffer overflow.
We also find UAF vulnerability in this function.
According to the analysis above, we know that buffer overflow vulnerabilities in function
survey. But how can we use these vulnerabilities for exploiting?
The scenario looks simple.
- dup chunk into stack
- ROP for info leak
- ROP for get shell
Firstly, We create fake heap chunk in stack and overwrite the heap chunk pointer.
Secondly, we add another guest. Fake chunk will be freed
Finally, function realloc the heap chunk by using
malloc() and get a fake heap chunk we can entirely control.
We can input info leak ROP chain into fake heap chunk by overwriting the return address. Then we can get
/bin/sh address in libc. We can do it again for getting shell.