SwixPWN 未解决

分数: 0 金币: 0
题目作者: 未知
一  血: admin889
一血奖励: 0金币
解  决: 1
提  示:
描  述:

Notes:

  • Source code was given to help with debugging.

  • Exploiting the dlresolve function to call system("sh")

  • System has access to environment variables (PATH) therefore, calling system("sh") would work perfectly fine.
  • Puts uses heap before printing a message therefore, by leaking a heap address, you can calc the address of "I'm safe! I wish" stored in heap & should be able to use the last "sh" for the system call.
  • The dlresolve payload must be crafted manually in the given structures. The addresses are aligned.
  • Use magicMove to call the dlresolve function.

Unintended by Robbert1978 (Discord tag)

One of the unintended solutions caught my interest, which is this one. The unintended solution consists of creating a 1 argument function call primitive. That's one creative way to do it.

Link for writeup/solver & blog: Link

其  他: 下载

WriteUp

暂无相关WriteUp

评分(0)

暂无评分

解题动态

admin889 获得了一血 11月前
问题反馈