Tags: pwn network 


This task is a remote `x86_64` binary (both binary and libcwere provided), tagged as "pwn" and "network". The goal is to exploit some vulnerability to gain remote code execution.

There are two parts of the task, named `2manypkts-v1` and `2manypkts-v2` respectively. We only managed to solve the first part, and submitted the flag literally at the last minute. So this write-up is about the first part only.

The binary has a simple stack buffer overflow vulnerability. You can overflow the buffer up to (and beyond) `main` return address, and employ well-known ROP technique.

Why the task was tagged "network" as well, you might ask? The problem is that the buffer is rather large, about 57 kilobytes. The data is read into the buffer by means of invoking `read` system call once, without any looping. Since `read` tends to return data to the user space as soon as it arrives, without waiting for the kernel buffer to fill up, getting it to overflow 57 kilobytes proved to be rather challenging.

(please read more in our blog: [https://blog.bushwhackers.ru/2manypkts-writeup/](https://blog.bushwhackers.ru/2manypkts-writeup/))

Original writeup (https://blog.bushwhackers.ru/2manypkts-writeup/).