The bug is easy to find at function Coordidate, this is basic format string bug
But before you enter printf(s), we must to bypass the check a pair float number is parsed from s, to bypass it we just append format string bug to the end of the pair '51.492137,-0.192878' , for more information about atof read this http://www.cplusplus.com/reference/cstdlib/atof/
So the payload to exploit this bug too easy:
- First, we need to leak binary base address, and libc address
- Second, calc system address and then overwrite atof got by system address and then pwned.
But the game is not over, before we exploit the bug, we need to solve 2 problems:
We must to write a program to solve the game to enter TARDIS mode (this task is to quite strange)
We must bypass timecheck to enter vulnerable function
time_c > 0x55592B6C && time_c <= 0x55592B7F;
We must set time_c in range (0x55592b6c,0x55592b7f].
Take a look at READ_DATA function , will be triggered after 2 second.
OMG, the buffer was used for saving the connection to localtime server was used to store user input. We just send 9 zero bytes to server and then wait until READ_DATA is triggered and then send 4 bytes in require range, and we will enter vulnerable function.
Our poc here : https://gist.github.com/peternguyen93/f06aa5e27626598a1c21
This is very interesting challenge.
After doing RE we find some usefull information:
This program implementing basic Polish Notation by using JIT compiler.
The structure of jit is:
Take a look at function handle_digit
When we inputted a string of number is seperated by space character , the jit compiter will push it in the stack_buffer.
We know that size of stack_buf is 0x1000 (located below stack_code), in this function there are no unbound checking if we push the stack_buf into stack_code, and so this bug does.
We just write own shellcode and then overwrite some opcode in the end of asm_code with own shellcode (because cgc executable is not have sys_execve syscall so we just use some syscall provided by CGC to read the flag).
Our shellcode :
pop edx ;ebx hold my buffer
Our poc is : https://gist.github.com/peternguyen93/e7d08cf109b38af6baae
This is the first time i wrote writeup using english, if something went wrong or some point you dont understand, feel free to ask me above