forensicsProeasy

Forenser Retaddr

spbctf

Task: given a raw x86_64 Linux stack VMA dump, find the return address of main. Solution: parse argv/envp/auxv to anchor the layout, walk the saved-rbp/return-address chain from the top of the live stack, and identify main's frame whose return address points into libc (__libc_start_call_main wrapper introduced in glibc 2.34), not into _start.

$ ls tags/ techniques/

x86_64 memory_dump glibc return_address non_pie stack_forensics stack_frame_walking rbp_chain libc_start_call_main process_stack

stack_memory_analysisqword_alignment_scansaved_rbp_chain_walkingauxv_parsingargv_envp_recognitionframe_pointer_reconstructionglibc_startup_semantics

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[forensics][Pro]Forenser Canary— spbctf
[forensics][Pro]Forenser RBP— spbctf
[reverse][Pro]SuiGeneris— caplag
[reverse][Pro]Challenge7— tamuctf
[pwn][free]Scanner— hackthebox