pwn2_sequential

pwn_spbctf

Task: NON-PIE x86-64 ELF with a menu that dispatches echo/help/greet through on-stack function pointers, reached by an unbounded gets() overflow; a canary is present but irrelevant. Solution: overwrite the function pointers (which sit BELOW the canary and are invoked via `call` before any ret) to chain unused init()=fgets(CMD) and sys()=system(CMD) gadgets into arbitrary command execution and a shell.

elf x86-64 system pwn function-pointer-overwrite no-pie remote aslr-disabled gets-overflow canary-bypass ret2func

function_pointer_overwritecanary_bypass_via_callgets_overflowret2funcstrcmp_nul_vs_gets_newlinein_binary_gadget_reuse

$ ls tags/ techniques/

elf x86-64 system pwn function-pointer-overwrite no-pie remote aslr-disabled gets-overflow canary-bypass ret2func

function_pointer_overwritecanary_bypass_via_callgets_overflowret2funcstrcmp_nul_vs_gets_newlinein_binary_gadget_reuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]rbp2— pwn_spbctf
[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]inspector the ONE— pwn_spbctf
[pwn][Pro]pwn4_encoder— pwn_spbctf
[pwn][Pro]pwn7 heap1— pwn_spbctf