ASLR Alice

pwn_spbctf

Task: NON-PIE, NX, no-canary x86-64 ALICE chat service with a stack buffer overflow (read 0x78 bytes into a 0x20 buffer, RET offset 0x28). Solution: two-stage ret2libc in one connection — leak puts via puts@got+return-to-main, then call system(\"/bin/sh\") with an extra ret for movaps alignment.

elf x86-64 ret2libc rop pwn nx stack-overflow no-canary no-pie aslr remote movaps-alignment libc-2.31 return-to-main puts-got-leak

ret2libcstack_buffer_overflowrop_chainreturn_to_mainputs_got_leakmovaps_alignment_fix

$ ls tags/ techniques/

elf x86-64 ret2libc rop pwn nx stack-overflow no-canary no-pie aslr remote movaps-alignment libc-2.31 return-to-main puts-got-leak

ret2libcstack_buffer_overflowrop_chainreturn_to_mainputs_got_leakmovaps_alignment_fix

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn6fmt_alice2 (alice-alpha)— pwn_spbctf
[pwn][Pro]cleaker (Mic Check 10)— pwn_spbctf
[pwn][Pro]Canary leak + ret2win (string_leak)— spbctf
[pwn][Pro]hello-goodbye— pwn_spbctf
[pwn][Pro]inspector the ONE— pwn_spbctf