Multipurpose Calculation Machine

Task	Multipurpose Calculation Machine
Competition	Teaser CONFidence CTF 2014
Location	Online
Category	Software exploitation
Platform	Linux x86
Scoring	200 pts (medium difficulty)
Number of solves	14 out of 99 participants

Solution summary

Click to expand

Under specific conditions, strncpy doesn't nul-terminate the output buffer, leading to a format string vulnerability. Our exploit uses it to leak the program base address, and overwrite the exit function pointer in .got.plt with the address of a system("/bin/sh") call found in the challenge, to get access to the shell.

External write-ups

https://github.com/0xddaa/blog/blob/master/content/2014/dsctf-pwn-200-calc-machine.md
http://balidani.blogspot.com/2014/04/confidence-ds-ctf-pwn200-writeup.html
https://github.com/gynvael/stream/tree/master/000-pwn200-format-bug and https://www.youtube.com/watch?v=hQnPlC1eTuc (PL)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Multipurpose Calculation Machine

Solution summary

External write-ups

Files

README.md

Latest commit

History

README.md

File metadata and controls

Multipurpose Calculation Machine

Solution summary

External write-ups