You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: blaze-ctf-2018/pwn/shellcodeme/sudhackar/README.md
+8-7
Original file line number
Diff line number
Diff line change
@@ -71,15 +71,16 @@ The next thought I had was to restart the execution of main such that we can byp
71
71
72
72
73
73
74
-
As I noticed that `memset` operation is done on `0x400699`,once the `seen` table has initialized we can skip doing it again in the second run. Jumping to anywhere after the memset operation should work. If we are able to corrupt the 256 byte count table in a way that unique count calculated is in our control then that would let us run arbirary code in the next run. So in the first run we can execute 'push' to setup the stack in such a way that seen[256] is overflowed back to < 7 in the next run.
74
+
As I noticed that `memset` operation is done on `0x400699`,once the `seen` table has initialized we can skip doing it again in the second run. Jumping to anywhere after the memset operation should work. If we are able to corrupt the 256 byte count table in a way that unique count calculated is in our control then that would let us run arbirary code in the next run. So in the first run we can execute 'push' to setup the stack in such a way that seen[256] is overflowed back to < 7 in the next run.
75
75
76
76
Here's how I did it in 7 unique bytes:
77
-
+ `pop` the saved rip from the stack to a register(rbx) (+1 unique byte)
78
-
+ `dec` the 32bit variant of that register to make it 0x4006d2 (+2 unique bytes)
79
-
+ spray the stack by `push`ing the register to setup an already filled `seen` (+1 unique bytes)
80
-
+ `inc rsp` to align `seen[256]` with 0xd2. will overflow this in the next run (+2 unique bytes)
81
-
+ `ret` to get input again to the same page (+1 unique bytes)
82
-
+ input a shellcode such that seen[256] is overflowed back to 0
77
+
78
+
* `pop` the saved rip from the stack to a register(rbx) (+1 unique byte)
79
+
* `dec` the 32bit variant of that register to make it 0x4006d2 (+2 unique bytes)
80
+
* spray the stack by `push`ing the register to setup an already filled `seen` (+1 unique bytes)
81
+
* `inc rsp` to align `seen[256]` with 0xd2. will overflow this in the next run (+2 unique bytes)
82
+
* `ret` to get input again to the same page (+1 unique bytes)
83
+
* input a shellcode such that seen[256] is overflowed back to 0
0 commit comments