pwn4_call_fcn_small

pwn_spbctf

Task: 64-bit NON-PIE shellcoding challenge that mmaps an RWX page and calls a tiny 27-byte attacker buffer; goal is to call win_fcn with the right register arguments. Solution: golf the shellcode by setting the five required argument registers and using `push imm32; ret` to jump to win_fcn at 0x4006b0, landing exactly at 27 bytes.

elf x86_64 shellcode pwn no_pie remote mmap_rwx shellcode_golf size_constraint push_ret magic_gate

mmap_rwx_shellcodeshellcode_golfpush_imm32_ret_callregister_argument_setup

$ ls tags/ techniques/

elf x86_64 shellcode pwn no_pie remote mmap_rwx shellcode_golf size_constraint push_ret magic_gate

mmap_rwx_shellcodeshellcode_golfpush_imm32_ret_callregister_argument_setup

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[pwn][Pro]pwn4 call_fcn_rop— pwn_spbctf
[pwn][Pro]pwn4_win— pwn_spbctf
[pwn][Pro]no_syscall— pwn_spbctf
[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf