Monday, March 17, 2014

RuCTF 2014 Vuln 300

[RuCTF 2014 with Segfault]

I did not solve this challenge on remote in time, only locally. The application "Posts" was a CLI application, statically compiled(buttload of gadgets, yes), had a NX stack. It asked you for a name, a count, and read in `count` number of "Titles" and "Contents".

If we give 260 A's as the content, a function pointer is overwritten and we have a nice crash.

Next step, setup a ROP payload and jump to it. It would be great if we could use Posts as the location but it had a '\r' in its address which would prevent that from working.

The final sploit involved setting up the ROP chain in `name` and overwriting the function pointer with the address of the ROP chain. Locally the buffer address was 0xbffff5f4.

No comments:

Post a Comment