tl;dr - Overwrite global variable to get libc leak and overwrite GOT(getchar) with one_gadget
you can't overwrite me if you don't have a leak.
Challenge author: k1R4
handout: overwrite_simulator.zip
We have a menu driven program where we have 2 options: Overwriting 8 bytes at an address of choice, Printing out "Hello there!" stored in a global variable.
Partial overwrites aren't possible here because of memcpy, so we need a leak.
void overwrite(){
int addr;
char data[9];
printf("Enter address to overwrite: ");
scanf("%d",&addr);
getchar();
printf("Enter data to be written: ");
fgets(data,9,stdin);
memcpy(addr,&data,8);
}PIE and Full RELRO are disabled which means we can overwrite the GOT but before that we need a leak. The second option in the menu can be used to leak since it uses printf to print the string in the global variable. Hence overwriting the global variable with an appropriate format string will give us a libc leak from the stack.
Now that we have a leak we can overwrite a specific GOT entry with a one_gadget. We have this useful one_gadget:
execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
The constraints are met when getchar is called after scanf in main. Thus overwriting GOT(getchar) with this one_gadget will give us a shell.
In summary,
- overwrite global variable with format string to get libc leak
- ovrwrite GOT(getchar) with one_gadget to get shell
Final exploit can be found here
flag: inctf{0v3rwriting_th3_G07_is_e4sy!}
Hope you enjoyed the challenge as much as I did making it :D