ints (ret2libc 10)

pwn_spbctf

Task: NON-PIE x86-64 ELF with a menu loop that writes user qwords into a fixed-size stack array with NO bounds check (unbounded sequential stack write), plus a /proc/self/maps libc leak; an on-stack function pointer is invoked via call rdx. Solution: overwrite the called pointer with an 'add rsp,0x18; ret' stack-pivot gadget to realign and land in a planted execve(\"/bin/sh\",0,0) ROP chain, sidestepping the system() movaps alignment crash and the decoy exit command.

elf x86-64 pwn no-pie remote unbounded-index maps-leak arbitrary-stack-write call-rdx-hijack stack-pivot add-rsp-gadget execve-rop movaps-alignment

function_pointer_hijackunbounded_index_stack_writestack_pivot_add_rspexecve_roplibc_base_leak_via_proc_maps

$ ls tags/ techniques/

elf x86-64 pwn no-pie remote unbounded-index maps-leak arbitrary-stack-write call-rdx-hijack stack-pivot add-rsp-gadget execve-rop movaps-alignment

function_pointer_hijackunbounded_index_stack_writestack_pivot_add_rspexecve_roplibc_base_leak_via_proc_maps

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]popa-ot-ropa (Mic Check 10)— pwn_spbctf
[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]look at me (ASLR 10)— pwn_spbctf
[pwn][Pro]pwn6www / storage— pwn_spbctf
[pwn][Pro]inspector the ONE— pwn_spbctf