The following is a set of binary exploitation challenges I have created for the Protab summer camp. The challenges are ordered based on difficulty and I recommend going through them in order.
Before we start, just a technical note. Because the buffer overflows in the challenges lead to remote code execution, I really tried to protect my server. The code runs in a small custom Firecracker VM with very limited resources. While I believe the setup is quite secure, if you happen to find a security issue (not the buffer overflows), please report it to me. My contact is at my homepage.
General information about the tasks
To simulate “real” environment, all tasks can be solved over the
network with the executables running on my server. The communication
happens over websockets. I recommend using websocat
:
websocat -E --binary wss://binexp.vsq.cz/task/1
When you complete a challenge, you will always get a flag - usually a random word. You’ll know when you see it.
Task 1
- vulnerable.c
- compiled executable
- the code above is running at
wss://binexp.vsq.cz/task/1
In this task, you will experiment with the most basic buffer overflow exploit and you’ll overwrite an innocent variable.
Recommended way to solve this challenge:
( echo '0123456789abcdef' | xxd -r -p - -; cat ) | websocat -E --binary wss://binexp.vsq.cz/task/1
Task 2
- compiled executable
- the code is running at
wss://binexp.vsq.cz/task/2
Pretty much the same task as before, except you won’t get the source code.
Task 3
- vulnerable.c
- compiled executable
- the code above is running at
wss://binexp.vsq.cz/task/3
Your goal here is to overwrite the return pointer. To make it a bit harder, there are also stack canaries present.
Task 4
Same as before, just the getFlag()
function now expects
an argument with a specific value. Have a look at the System
V ABI. Using ROP and a pop register; ret;
gadget (ropper -f executable
),
provide the function with the correct argument. Stack canaries are still
present.
- vulnerable.c
- compiled executable
- the code above is running at
wss://binexp.vsq.cz/task/4
Task 5
Get a remote shell. Easy, isn’t it? The flag is in the file
/flag5
…
Resolve the location of the system()
function using the
memory leak (watch out, libc
is always linked at a
different location). Use that to construct a payload executing a
shell.
- vulnerable.c
- compiled executable
- the code above is running at
wss://binexp.vsq.cz/task/5
These tools might help you:
- pwntools
- specifically the DynELF tool
- ropper
Task 6
Can you get a remote shell in the task 3?