BabyPwn2

$1 = {void (int)} 0x7ffff7dee280 <__GI_exit>
$2 = {int (const char *)} 0x7ffff7dfe8f0 <__libc_system>
$3 = {void ()} 0x555555555169 <vulnerable_function>

exit address: 0x7ffff7dee280 system address: 0x7ffff7dfe8f0 puts@plt address: 0x0000555555555030 “SHELL=/bin/bash” → 0x00007fffffffd059

0x7fffffffd059: “SHELL=/bin/bash”

gef➤  break main
Breakpoint 1 at 0x5555555551bf: file baby-pwn-2.c, line 14.
gef➤  run
Starting program: /home/chrono/Desktop/ctfs/uoftCTF/pwn/babypwn2/baby-pwn-2 
gef➤  [Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 
Breakpoint 1, main () at baby-pwn-2.c:14
14          setvbuf(stdout, NULL, _IONBF, 0);
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x00005555555551bb  →  <main+0000> push rbp
$rbx   : 0x00007fffffffcc78  →  0x00007fffffffd01f  →  "/home/chrono/Desktop/ctfs/uoftCTF/pwn/babypwn2/bab[...]"
$rcx   : 0x0000555555557dd8  →  0x0000555555555120  →  <__do_global_dtors_aux+0000> endbr64 
$rdx   : 0x00007fffffffcc88  →  0x00007fffffffd059  →  "SHELL=/bin/bash"
$rsp   : 0x00007fffffffcb60  →  0x0000000000000001
$rbp   : 0x00007fffffffcb60  →  0x0000000000000001
$rsi   : 0x00007fffffffcc78  →  0x00007fffffffd01f  →  "/home/chrono/Desktop/ctfs/uoftCTF/pwn/babypwn2/bab[...]"
$rdi   : 0x1               
$rip   : 0x00005555555551bf  →  <main+0004> mov rax, QWORD PTR [rip+0x2e6a]        # 0x555555558030 <stdout@GLIBC_2.2.5>
$r8    : 0x0               
$r9    : 0x00007ffff7fcbf40  →  <_dl_fini+0000> push rbp
$r10   : 0x00007fffffffc8a0  →  0x0000000000800000
$r11   : 0x206             
$r12   : 0x0               
$r13   : 0x00007fffffffcc88  →  0x00007fffffffd059  →  "SHELL=/bin/bash"
$r14   : 0x00007ffff7ffd000  →  0x00007ffff7ffe2e0  →  0x0000555555554000  →   jg 0x555555554047
$r15   : 0x0000555555557dd8  →  0x0000555555555120  →  <__do_global_dtors_aux+0000> endbr64 
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcb60│+0x0000: 0x0000000000000001   ← $rsp, $rbp
0x00007fffffffcb68│+0x0008: 0x00007ffff7dd5d68  →  <__libc_start_call_main+0078> mov edi, eax
0x00007fffffffcb70│+0x0010: 0x00007fffffffcc60  →  0x00007fffffffcc68  →  0x0000000000000038 ("8"?)
0x00007fffffffcb78│+0x0018: 0x00005555555551bb  →  <main+0000> push rbp
0x00007fffffffcb80│+0x0020: 0x0000000155554040
0x00007fffffffcb88│+0x0028: 0x00007fffffffcc78  →  0x00007fffffffd01f  →  "/home/chrono/Desktop/ctfs/uoftCTF/pwn/babypwn2/bab[...]"
0x00007fffffffcb90│+0x0030: 0x00007fffffffcc78  →  0x00007fffffffd01f  →  "/home/chrono/Desktop/ctfs/uoftCTF/pwn/babypwn2/bab[...]"
0x00007fffffffcb98│+0x0038: 0x2a8bb764077eaa72
──────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555551ba <vulnerable_function+0051> ret    
   0x5555555551bb <main+0000>      push   rbp
   0x5555555551bc <main+0001>      mov    rbp, rsp
●→ 0x5555555551bf <main+0004>      mov    rax, QWORD PTR [rip+0x2e6a]        # 0x555555558030 <stdout@GLIBC_2.2.5>
   0x5555555551c6 <main+000b>      mov    ecx, 0x0
   0x5555555551cb <main+0010>      mov    edx, 0x2
   0x5555555551d0 <main+0015>      mov    esi, 0x0
   0x5555555551d5 <main+001a>      mov    rdi, rax
   0x5555555551d8 <main+001d>      call   0x555555555060 <setvbuf@plt>
───────────────────────────────────────────────────────────────────────────────────────────────── source:baby-pwn-2.c+14 ────
      9      fgets(buffer, 128, stdin);
     10  }
     11  
     12  int main()
     13  {
 →   14      setvbuf(stdout, NULL, _IONBF, 0);
     15      printf("Welcome to the baby pwn 2 challenge!\n");
     16      vulnerable_function();
     17      printf("Goodbye!\n");
     18      return 0;
     19  }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "baby-pwn-2", stopped 0x5555555551bf in main (), reason: BREAKPOINT
────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555551bf → main()
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
print exit
$1 = {void (int)} 0x7ffff7dee280 <__GI_exit>
gef➤  print system
$2 = {int (const char *)} 0x7ffff7dfe8f0 <__libc_system>
gef➤  find "/bin/sh"
Argument required (expression to compute).                                                                                                             
gef➤  x/s *((char **)environ)                                                                                                                          
0x7fffffffd059: "SHELL=/bin/bash"                                                                                                                      
gef➤  print vulnerable_function
$3 = {void ()} 0x555555555169 <vulnerable_function>

Chrono's Cyber Chronicles

Explorer

BabyPwn2

Graph View