Another beginner’s series from pwn.college, this time covering the basics of binary file exploitation.
Since I last checked, a few things have changed significantly, and now everything looks worse than it did. Not the challenges themselves, but the structure and overall design of this section. Previously, everything was divided into several stages: you’d start with the assembly course, then write a small exploit using your assembly knowledge, and only then move on to the exploitation challenge. But now everything is jumbled, shortened, and looks a bit… unfinished, so to say. Therefore, I would recommend watching all the pwn.college videos for 2020/2021 to familiarize yourself with the relevant modules. It will be much easier and clearer after.
In my opinion, the tasks themselves are quite simple and don’t require lengthy discussion. If you’ve looked at and read all the provided materials, you’ll be able to solve them without any difficulty. The only problem you might encounter is with the last two.
0x14: Hijack to Shellcode (easy)
This will require you to spend some time in a debugger and disassembler to figure out where the vulnerable buffer is located on the stack and find the required address. The basic idea is the same: you need to overflow the buffer, but the return address should point to the same buffer and the beginning of your shellcode within it.
I’d recommend following the same idea Yan described somewhere in the videos I mentioned: just use int 3 in your shellcode and debug it. But note: even with ASLR disabled, the stack addresses you see in the debugger are different from those when running the program without it.
0x15: Hijack to Shellcode (hard)
Everything is the same as before, but with one subtle limitation: the buffer is quite small, so you’ll have to truncate the shellcode if it was quite large in the previous step. Also note that the program stores the number returned by read on the stack, literally overwriting your shellcode with four bytes somewhere in the middle. I couldn’t find a way to write shellcode that would do everything necessary, and its size is smaller than 0x24 bytes, so I had to “allocate” space in the middle for this overwriting operation. Otherwise, the trick for finding the correct buffer address is the same as before.
Have fun!
The challenges can be found here, and my solutions are here.