Tags: pwn network 


The size check for the number of data types to be send was signed and can be bypassed by providing a negative size which will result in classic stack BOF with a lack of canary we can just ROP to get a leak and ret2system. It's best to use the "int" class's buffer as it's closest to the saved return address and it's smallest in size (0xE000 bytes). However, the second part of this challenge was marked as "network" and it involved the fact that we can't send more than the (what I assume and describe as) size of the input stream buffer (which can vary depending on MTU/Window size, as these were some of the options we tried), but we were unable to figure this part out.

If any of the organizers be so kind to explain in the comments what was the trick behind the "network" concept of this challenge, we would appreciate it.


2manypckts-v2 was absolutely the same vulnerability except that all 5 data type classes were instantiated on the heap causing a heap overflow instead of stack overflow. Which was still doable if only we were able to send the whole payload to the server.

itsZNApril 3, 2017, 11:48 p.m.

I would like to know too

uafioApril 4, 2017, 4:46 p.m.

itsZN you can retweet to get their attention :) https://twitter.com/rh0gue/status/849017548549107713