pwnhard

Common Offset

srdnlen

Task: Binary with shared offset between files, 16-bit word addition with 8-bit validation. Solution: Exploit uint16_t carry overflow to get OOB index, use ret2dlresolve with fake ELF structures in BSS to call system("sh").

$ ls tags/ techniques/

type_confusion stack_overflow ret2dlresolve no_pie partial_relro no_canary nx uint16_overflow oob_write elf_dynamic_linking

uint16_carry_overflow_to_oob_indexret2dlresolve_fake_structuresplt0_trampoline_resolveoverlapping_elf_structures_in_bss

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]