inspector the ONE

pwn_spbctf

Task: 64-bit NON-PIE ELF with an unbounded scanf(\"%s\") stack overflow; startup dumps /proc/$PPID/maps leaking the libc base, ASLR is off. Solution: ret2libc, but call execve(\"/bin/sh\",0,0) instead of system() because system's absolute address contains a 0x20 (space) byte that terminates scanf %s — pick gadget/string addresses with no whitespace bytes.

elf x86-64 ret2libc pwn no-pie execve remote maps-leak scanf-overflow aslr-off whitespace-bytes one-gadget-pun

ret2libcscanf_unbounded_overflowexecve_rop_chainlibc_base_from_maps_leakwhitespace_byte_avoidance

$ ls tags/ techniques/

elf x86-64 ret2libc pwn no-pie execve remote maps-leak scanf-overflow aslr-off whitespace-bytes one-gadget-pun

ret2libcscanf_unbounded_overflowexecve_rop_chainlibc_base_from_maps_leakwhitespace_byte_avoidance

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]cleaker (Mic Check 10)— pwn_spbctf
[pwn][Pro]popa-ot-ropa (Mic Check 10)— pwn_spbctf
[pwn][Pro]look at me (ASLR 10)— pwn_spbctf
[pwn][Pro]Enigma * (one_gdgt)— pwn_spbctf
[pwn][Pro]ints (ret2libc 10)— pwn_spbctf