pwnPromedium

pwn5_rhook

pwn_spbctf

Task: NON-PIE x86-64 binary exposes an arbitrary read (write(1, addr, 8)), an 8-byte write-what-where (read(0, addr2, 8)), and a save_name routine that CALLs a global hook pointer with rdi = the name buffer; addresses are parsed with atoi (decimal). Solution: leak read@GOT to recover libc 2.31 base, overwrite the hook with system, then call save_name(\"/bin/sh\") so the hook fires as system(\"/bin/sh\").

elf x86-64 system ret2libc pwn got-leak no-pie canary partial-relro arbitrary-read write-what-where remote libc-2.31 function-pointer-hook hook-overwrite atoi-decimal

ret2libc_systemgot_leak_via_arbitrary_readwrite_what_wherehook_pointer_overwrite

$ ls tags/ techniques/

elf x86-64 system ret2libc pwn got-leak no-pie canary partial-relro arbitrary-read write-what-where remote libc-2.31 function-pointer-hook hook-overwrite atoi-decimal

ret2libc_systemgot_leak_via_arbitrary_readwrite_what_wherehook_pointer_overwrite

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ cat writeup.md…

Sign in to access full writeups

Sign in to access full writeups

Similar writeups