get_it (csaw18q_getit)

pwn_spbctf

Task: NON-PIE x86-64 binary reads input with unbounded gets() into a 0x20 stack buffer; a give_shell() function calling system(\"/bin/sh\") already exists. Solution: classic ret2win — overflow 0x28 bytes (buf + saved rbp) and overwrite the saved return address with the address of give_shell to spawn a shell and read /flag.

gets elf x86-64 system ret2win pwn nx stack-overflow no-canary no-pie remote give-shell

ret2winstack_buffer_overflowreturn_address_overwritemovaps_alignment_fallback

$ ls tags/ techniques/

gets elf x86-64 system ret2win pwn nx stack-overflow no-canary no-pie remote give-shell

ret2winstack_buffer_overflowreturn_address_overwritemovaps_alignment_fallback

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn4 getflag_no_zeroes— pwn_spbctf
[pwn][Pro]pwn6boi— pwn_spbctf
[pwn][Pro]pwn6 tw17_justdoit (just_do_it)— pwn_spbctf
[pwn][Pro]Navalny (ret2libc 10)— pwn_spbctf
[pwn][Pro]ret— spbctf