ECSC 2019 - leHack - harmless
06 Jul 2019
nc harmless.ecsc 4001
category: pwn - 50
An ARM file is attached to the description.
Using gdb-multiarch, we can retrieve the instructions with
disas, but here for more simplicity I’ll output the decompiled code with IDA:
Look’s like we can overflow in every variable… You can notice that if we say “Y” to the “Are you a developper?” question, the program display variable addresses. So we will try to go in the branch.
Moreover, I manage to find the entry length that makes an error on the server:
As you can see, it throws an error because we manage to write a
\x00 in the return address.
Okay we have all we need.
First we are going to go in the developer branch. Then we put a shellcode on the v4 variable (the comment variable) and we have to overflow writing the address of v4 in the return address (&v4).
This is the commented code in python doing these steps:
And the output:
Yeah ! the flag is