This was Dear QA from THM, an Easy rated “reverse engineering and exploit development” challenge. I’m not very good at these so I struggled a bit but got it done.
We were given a binary to inspect: DearQA.DearQA
I disassembled the file in Ghidra and we have two notable functions, main and vuln.
Main (as per Ghidra):
Note that vuln is never called during the execution of main and hence the challenge is to gain execution of vuln, which we do by overflowing the buffer in scanf, here referred to as __isoc99_scanf which I gather is a compiler specific implementation of scanf.
The same type of thing is described here and here; note that the first example is for a 32-bit binary which is not the case for us.
We need the entry point for the vuln function which we can get from Ghidra:
Our address is 0x400686, or in Little Endian \x86\x06\x40 and we need to pad this to the right size: \x86\x06\x40\x00\x00\x00\x00\x00.
Next, we need to figure out how many dummy chars to insert before our address. I tried to figure this out for myself but I didn’t seem to be able to get it right, so in the end I let bash do it for me. We did know that it was at least 32 though, since that was the buffer size per Ghidra.
Now we send our ‘exploit’ to the same binary running on a remote server and gain a shell. Piping the command to netcat results in a session that immediately dies so we need some fancy syntax like so: