zer0pts CTF 2021
pwn
We're given a 64-bit ELF and its source code.
The vulnerability is a simple stack buffer overflow.
However, the stack works in a special way.
The return address is saved in the bss section and we can't overwrite it simply by the overflow.
What we abuse is the saved RBP.
After vuln
function ends, RBP is used for calculating the address of buf
.
We can modify the address as we change the value of RBP.
Controlling the RBP, we can write to wherever place by the next read
call. Since PIE is disabled, we can overwrite the shadow stack to control RIP.
NX is also disabled, which enables us to jump to the shellcode directly.