fno-stack-protector [PWN]

One Byte Overflow Challenge

When you decompile the program, its simple program just gets the input and exit and there is a Bug stack overflow and you have a bad_function in the program, its only function is to execute "/bin/sh"

Before you go to control RIP and put the bad_function address in RIP to get the shell, let's find out what protections are enabled in the program

found there all protection are enabled in the program except Canary

PIE protection is like a brother to ASLR

ASLR: It randomizes everything in the program except the code section

PIE: it randomizes code section in the program like main address and functions created By The Programmer and variables

Note: The PIE It only works if ASLR is enabled

What is problem with that ?

The problem is can`t get real address of bad_function its randomize in runtime

Now Try control rip after that think how execute bad_function

Control RIP

Now we will try to send a large number of characters to the program to get the crash

Now The offset to control RIP is 18 byte

now we just send just 18 byte

now to call bad_function just put one byte in rip

this My Script Why use p8() its used for one byte send

and Why i use send() to send the payload why didn`t used sendline ?

because sendline() its add "\n" char in the end that make problem in rip address

Now Will Try run The Script

PreviousBlackHat MEA CTF Qualification 2022 NextSecret Note [PWN]

Last updated 1 year ago