$ cat writeup.md…
$ cat writeup.md…
umdctf
Task: a static 64-bit ELF reads multiple host fields with unsafe scanf calls and checks a stack-resident string before returning. Solution: use a 48-byte destination input to null out the first byte of the checked string, then overflow the source field at offset 104 and return through a ret gadget into win().
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
We are given a 64-bit static ELF named ipv4 and a remote service at challs.umdctf.io:30308. The binary is not stripped, so the important functions are easy to spot during reversing.
The challenge looks like a simple ret2win at first, but the program has an extra logic check that prevents a plain return-address overwrite from working. The solve requires combining two separate input bugs: a one-byte null overflow to bypass the logic gate, and a stack overflow to control RIP.
No original organizer description was preserved in the local notes.
English summary: the program asks for network-style input fields, validates one stack string with check_rine(), and only then returns from main(). We must satisfy that control flow and pivot execution into win(), which spawns a shell.
The binary properties are:
The most important target is:
win() at 0x402f45, which calls system("/bin/sh")Because PIE is disabled, the win() address is fixed. A small ROP chain is enough once we can safely return from main().
main() contains two distinct stack input bugs.
The Source Host Address field is read with:
scanf("%s", buf)
where buf is the local buffer at rbp-0x60. Since %s has no length limit, this is a normal stack overflow primitive. The working offset from this input to saved RIP is 104 bytes.
The Destination Host Address field is read with:
scanf("%48s", buf)
into a stack buffer at rbp-0xc0.
...
$ grep --similar