- This is simple server program, and we should make user named
baby
. - If you exec program and connect with nc you can see 3 options (We have time limit to use, In one session we can only use 15 seconds)
- First we can do stack overflow, Second we can do fsb and last we can do heap overflow.
- I couldn't find the usage of heap overflow but I found usage of others.
- This program's NX bit is enabled so we have to leak memory to do some stack overflow.
- With
%20p*144
and last hex number is the canary. - Canary doesn't change after server is turned on. That means we can check canary first and then do stackoverflow next. (Actually if you use automatic script with python, you can do these things at once, but if you do this with your hands you have time limit so you have to try many times. I recommand automatic code)
- In stack overflow function memory looks like this
[canary(8byte)][buffer(1032byte)][socket_fd(8byte)]
- You can overflow successfullt if you get canary correctly. After overflow we can do some ROP and I upload some easy same python script on my github
- I think I can solve this by read flag file by ROP, save flag data at heap chunk and send it back like that example.
- I save command
cat flag.txt
at heap and run it with shell. - I couldn't bypass ASLR. Bypassing it is really hard... -> I added
Last active
June 14, 2017 07:18
-
-
Save parksjin01/7c81f393673a341176932bf2cbb298a6 to your computer and use it in GitHub Desktop.
Insomni'hack Teaser CTF 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment