hello-goodbye

pwn_spbctf

Task: NON-PIE 64-bit ELF reads 0x80 bytes into a 0x30 stack buffer, overflowing an on-stack function pointer that is then called with rdi pointing at the buffer. Solution: overwrite the function pointer (offset 0x28) with system@plt and place \"/bin/sh\" at the start of the buffer, turning the indirect call into system(\"/bin/sh\") — no libc leak needed.

elf x86-64 pwn no-canary function-pointer-overwrite no-pie remote ret2system system-plt read-overflow

function_pointer_overwritestack_buffer_overflowret2system

$ ls tags/ techniques/

elf x86-64 pwn no-canary function-pointer-overwrite no-pie remote ret2system system-plt read-overflow

function_pointer_overwritestack_buffer_overflowret2system

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]fptr Reborn— spbctf
[pwn][Pro]inspector the ONE— pwn_spbctf
[pwn][Pro]pwn4 beta_version— pwn_spbctf
[pwn][Pro]popa-ot-ropa (Mic Check 10)— pwn_spbctf
[pwn][Pro]ASLR Alice— pwn_spbctf