30 lines
1.1 KiB
Plaintext
30 lines
1.1 KiB
Plaintext
|
== Call me more ==
|
||
|
|
|
||
|
|
=== Description ===
|
||
|
|
|
||
|
|
We are given a mysterious address, can we use it to recover the flag? It doesn't seem to be as easy as the last time.
|
||
|
|
|
||
|
|
=== Flag ===
|
||
|
|
|
||
|
|
Whatever is set in the environment variable IG_FLAG
|
||
|
|
|
||
|
|
=== Public Files ===
|
||
|
|
|
||
|
|
No file should be given
|
||
|
|
|
||
|
|
=== Challenge internals ===
|
||
|
|
|
||
|
|
Classical buffer overflow, but with need to bruteforce the canary flag.
|
||
|
|
|
||
|
|
The binary is a tcp server, for every client it forks. Canary flags are shared between forked processes, so it's possible to bruteforce the canary by overflowing a byte of the canary and checking when the applications acts normal and when not. After the canary flag is bruteforced, just replace the ret addr with the given addr.
|
||
|
|
|
||
|
|
+-------------------------+-8bytes-+-----------------+-----------------+
|
||
|
|
| 32 byte buffer | CANARY | EBP 8 bytes | RET ADDR |
|
||
|
|
+-------------------------+--------+-----------------+-----------------+
|
||
|
|
^replace with A ^bruteforce ^replace with A ^replace with addr
|
||
|
|
|
||
|
|
|
||
|
|
=== Deployment instructions ===
|
||
|
|
|
||
|
|
The server runs by default on port 2345, just deploy in a docker container or something.
|