pwnProeasy

fptr Reborn

spbctf

Task: No-PIE x86_64 binary reads 64 bytes into an 8-byte BSS buffer immediately followed by a function pointer and its argument, then performs an indirect call. Solution: craft a 24-byte payload that places '/bin/sh' in buf, overwrites function_pointer with the provided my_system helper (system(rdi)), and sets function_arg to the address of '/bin/sh', spawning a shell.

$ ls tags/ techniques/

x86_64 function_pointer ret2win pwn no_pie bss_overflow

function_pointer_overwritebss_buffer_overflowret2win_via_helper

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]fptr— spbctf
[pwn][Pro]Baby bof— uoftctf2026
[pwn][Pro]Canary leak + ret2win (string_leak)— spbctf
[pwn][Pro]ret— spbctf
[pwn][Pro]Taste— grodno_new_year_2026