Points: 100 Category: Pwn Author: Dagger

Introduction

In this challenge, we are given an ELF 64 bits binary. The binary is very simple, it read a string on its input and then display it.

Compare to a classic heap challenge, the binary size is a bit more huge. This challenge seem’s to be classic but it is not. The binary size is 1.5 Megabytes! The binary is as huge because it is coded in Go lang.

Function_list

Go lang load no more than 2053 functions in this binary! But we will not have to reverse every function. Only a few one will be useful for us.

Luckily for us, the binary is not stripped. In Go lang, after compilation, the main function is renamed main.main. This is the function that interests us.

Vulnerability

The most important part of the main.main function is the one below:

Main_function

The function can be summarized with the following steps:

  • It allocates a buffer on the heap of size 0x10 ;
  • It allocates a second buffer on the heap of size 0x64 ;
  • It read the content of the file “flag.txt” in the second buffer ;
  • It read 0x1337 bytes from the input in the first buffer ;
  • It prints the first buffer ;

The vulnerability is a buffer overflow located on the heap.

From this point it is very easy to get the flag. We will send enough writable bytes to join the second buffer and when the binary will print the first buffer, it will also print the second one.

In Go lang, the heap seem’s to be managed differently compare to a basic C/C++ binary. There is a huge padding between the first and the second buffer. The offset between both buffer is 1360 bytes.

Exploit

Let test it:

Exploit

We just need to add a ‘R’ at the beginning of the flag: RITSEC{Muff1n_G0verFl0w_mmmm}

Done.

PS: You can find the binary and the exploit here


Pwntera

Yet another french CTF team that sux !