pivot (pevot)

pwn_spbctf

Task: 64-bit statically-linked NON-PIE pwn binary with a heap overflow that overwrites a function pointer stored at chunk+0x200, which is then invoked via `call r8` while RCX holds the heap-buffer base. Solution: overwrite the pointer with a `mov rsp, rcx ; ret` pivot to relocate the stack into the controlled heap buffer, then run a leak-free static execve(\"/bin/sh\") ROP chain using glibc-embedded gadgets.

elf x86-64 pwn nx function-pointer-overwrite no-pie execve heap-overflow remote stack-pivot static mov-rsp-rcx bin-sh leak-free

heap_overflow_funcptr_overwritestack_pivot_mov_rsp_rcxstatic_execve_ropleak_free_exploitation

$ ls tags/ techniques/

elf x86-64 pwn nx function-pointer-overwrite no-pie execve heap-overflow remote stack-pivot static mov-rsp-rcx bin-sh leak-free

heap_overflow_funcptr_overwritestack_pivot_mov_rsp_rcxstatic_execve_ropleak_free_exploitation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]pwn7_heap0— pwn_spbctf
[pwn][Pro]pwn7 heap1— pwn_spbctf
[pwn][Pro]rbp2— pwn_spbctf
[pwn][Pro]ints (ret2libc 10)— pwn_spbctf