pwn5 itmo

pwn_spbctf

Task: stripped NON-PIE x86-64 university state machine; an OOB grades[count]=grade write executes before the bound check and lands on the low byte of a format-string pointer used by a fixed-arg box printf. Solution: corrupt the format pointer to shift which directives run so %n targets a register-backed arg (rcx=code) set to the rector-flag address, abuse year==0 so %s(NULL) prints (null) instead of SIGSEGV, set the win global, then graduate to trigger system(\"cat flag.txt\").

stripped elf x86-64 system pwn oob-write no-pie format-string remote fmt percent-n off-by-one format-pointer-corruption state-machine null-pointer-s-trick

oob_array_writeformat_pointer_corruptionpercent_n_steeringregister_backed_arg_targetingnull_pointer_s_trickstate_global_win

$ ls tags/ techniques/

stripped elf x86-64 system pwn oob-write no-pie format-string remote fmt percent-n off-by-one format-pointer-corruption state-machine null-pointer-s-trick

oob_array_writeformat_pointer_corruptionpercent_n_steeringregister_backed_arg_targetingnull_pointer_s_trickstate_global_win

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn5_glo— pwn_spbctf
[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[pwn][Pro]pwn5_exit— pwn_spbctf
[pwn][Pro]pwn5_www1— pwn_spbctf
[pwn][Pro]pwn4 call_fcn_rop— pwn_spbctf