Tags: babiersteps
Rating:
This is my writeup for the "Babiersteps" challange from NahamCon 2020.
After downloading the babier file we run the ```file ./babiersteps``` command wich gives the folowing output:
![alt text](images/file.png?raw=true "File")
We can see that the barbier file is a 64 bit elf file.
When we run a obj dump (```objdump ./babiersteps -d```). we can see that the program contains a win function at address ```0x4011c9.```
![alt text](images/win.png?raw=true "win")
After making the file executable and running we are shown the text "Everyone has heard of gets, but have you heard of scanf?".
If we input some random characters the program wil seemingly do nothing and shut down. If we give the program an input thats over 120 bytes the program wil return a segment fault.
![alt text](images/segfault.png?raw=true "seg")
If we open the program in gdb we can get a better look at what is going on inside babiersteps. ```gdb ./babiersteps``` (Note: I am using geff extention for gdb).
When we imput a lot of A's (300) we can see that we clutter most of the stack but not the RIP (instruction pointer) wich we want to control and point to our win function.
![alt text](images/clutter.png?raw=true "clutter")
Because the file is a 64 bit elf the RIP address has to be a 48 bit canonical address wich means the address has to be in the range ```0x0000000000000000``` to ```0x00007FFFFFFFFFFF``` and ```0xFFFF800000000000``` to ```0xFFFFFFFFFFFFFFFF```. otherwise the address wont be able to clutter the RIP. If we input a bunch of A's we are overwriting the rip with a non-canonical address. If we however run the program with 120 A's up to the point of getting the segfault(offset) and add a 6 bytes canonial address of 6 B's ```0x0000424242424242``` to the end we can see we can control the RIP.
![alt text](images/control.png?raw=true "control")
Now all we have to do is point the address to our win function and hope we get the flag. Our win function was located at ```0x4011c9.```.
We can use pyton to give us the addres in little endian ```python3 -c 'import struct;print(struct.pack("