It’s a simple dynamically linked binary for x86-64. We have a canary stack
however the stack is executable (the ’90s says hello!), which gef
web_of_science is a tool to manage scientific papers.
The binary is full of vulnerabilities, many of which were automatically detected
by the format-string-helper command from GDB-GEF
Without any static analysis, we immediately spot that many (if not all)
printf() calls are vulnerable to format string vulnerabilities, where we
control the format field. That’s good, we can leverage that later to bypass the
canary protection. So far, so good ☺
So what does the binary do? It starts by call the function at 0x04007CD which
checks if we are human by prompting us to solve an addition with randomly
generated integers. Pretty hardcore stuff, right?
Then we jump into serious business at 0x400E1C. The function offers a menu to
respectively add/delete/list/view papers and exit.
When adding a paper (add_paper() function), a stack buffer of 1096 bytes is
allocated on the stack. It is then possible to populate different fields of this
stack allocated paper as shown here:
When saving the stack buffer is then copied to the .bss segment:
One stricking thing is of course the massive use of gets() everywhere for user
input. So we think immediately to stack-based buffer overflow.
The view_paper() function (at 0x400D52) receives a pointer to a paper and
displays its information using printf() - which makes us understand what
triggered the gef plugin for format string.
The exploitation process will go something like this:
Use of the format string vulnerabilities to leak stack until we get the
canary using printf()
Overflow one of the stack allocated buffer using gets(), correctly
insert the canary, and jump to our stack-based shellcode.
So this lines up the following sequential steps:
Create a paper to allocate a 1096 byte stack buffer
Using the abstract field of the paper to store our format string to leak
the canary, and the stack address (for returning to it).
A stack address was found at "$7$p" and the canary at "%163$p".
We need to view the paper to actually trigger the format string information
And now, build our payload, overflow the buffer, insert the canary to get
good karma, and make the ret at 0x400C0E fall back to our controlled