We receive a file called chall
. NX is disabled, which is helpful. We inject shellcode, use a jmp rsp
gadget and execute our own shellcode.
main()
is a fairly simple binary:
The buffer is 48
bytes long. After the buffer there is 16-bit integer check
, which acts as a canary. Then there are 8 bytes for the stored RBP. The total input it 71
, meaning after the stored RBP we have 13 bytes of overflow, including the RIP. No ROP is possible.
Note that the value -6913
is actually 0xe4ff
.
This was rather misleading as they gave you the LIBC.
Firstly:
Now we need some shellcode. pwntools' shellcraft.sh()
is 2
bytes too long, so we'll have to make it manually.
The general payload is as follows:
/bin/sh\x00
so we have it in a known location (relative to RSP)
Shellcode
Padding
0xe4ff
to overwrite the pseudo-canary
Padding
jmp rsp
Now we need to decide what shellcode we want to run. Well, since RSP points at the stack, we know that it will always be a static offset off our buffer. If we calculate it, we can just do
And execute the other half of our code! And at this point RSP will be exactly 8
bytes off /bin/sh\x00
, so we can use it to populate RDI as well!
X-MAS{sant4_w1ll_f0rg1ve_y0u_th1s_y3ar}