zer0pts CTF 2021
pwn
An x64 ELF and its source code are provided.
The vulnerability is obviously stack overflow in multiple places:
However, SSP is enabled.
We have to leak the stack canary somehow.
Let's focus on the following piece of code.
The variable goal
is not initialized at [1] but the input is given at [2]. However, the program doesn't check the return value of scanf
. If we feed an invalid input, scanf
does not update the value of goal
.
So, if the canary leftover happens to come to the address of goal
, we can leak the stack canary.
After that is simple: just abuse the stack overflow to get the shell.