pwnProeasy

pwn2_doublekill

pwn_spbctf

Task: 64-bit non-PIE pwn with a win() that prints /flag; play() leaks the stack buffer address, reads 0x30 bytes that overflow into an adjacent pointer variable, then writes 8 bytes through that pointer. Solution: use the first overflow to repoint the pointer at play()'s saved return address, then use the second write to overwrite it with win() — an indirect write-what-where ret2win with no canary.

elf x86-64 ret2win pwn no-canary no-pie overflowed-pointer write-what-where stack-leak remote

ret2winoverflowed_pointer_write_what_wherestack_address_leak

$ ls tags/ techniques/

elf x86-64 ret2win pwn no-canary no-pie overflowed-pointer write-what-where stack-leak remote

ret2winoverflowed_pointer_write_what_wherestack_address_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups