write-ups-challenges-2019-2020/call_me_more/README
2022-11-24 22:43:03 +01:00

30 lines
1.1 KiB
Plaintext

== Call me more ==
=== Description ===
We are given a mysterious address, can we use it to recover the flag? It doesn't seem to be as easy as the last time.
=== Flag ===
Whatever is set in the environment variable IG_FLAG
=== Public Files ===
No file should be given
=== Challenge internals ===
Classical buffer overflow, but with need to bruteforce the canary flag.
The binary is a tcp server, for every client it forks. Canary flags are shared between forked processes, so it's possible to bruteforce the canary by overflowing a byte of the canary and checking when the applications acts normal and when not. After the canary flag is bruteforced, just replace the ret addr with the given addr.
+-------------------------+-8bytes-+-----------------+-----------------+
| 32 byte buffer | CANARY | EBP 8 bytes | RET ADDR |
+-------------------------+--------+-----------------+-----------------+
^replace with A ^bruteforce ^replace with A ^replace with addr
=== Deployment instructions ===
The server runs by default on port 2345, just deploy in a docker container or something.