You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/posts/csaw-24-embedded-security-challenge-report/index.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,10 @@ date: '2024-11-14'
4
4
lastmod: '2024-11-17T18:37:43+01:00'
5
5
categories:
6
6
- articles
7
+
- CSAW
7
8
tags:
8
-
- esc
9
9
- csaw
10
+
- esc
10
11
authors:
11
12
- Titto
12
13
---
@@ -17,7 +18,7 @@ authors:
17
18
18
19
Some of our members participated in the [CSAW Embedded Security Challenge](https://www.csaw.io/esc) 2024. Below is the qualification report that allowed the team representing TRX to qualify for the final, which took place at Esisar in Valence.
Copy file name to clipboardExpand all lines: content/posts/trxctf25-virtual_insanity/index.md
+8-7Lines changed: 8 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,6 +18,7 @@ authors:
18
18
Dancing, Walking, Rearranging Furniture
19
19
20
20
**DISCLAIMER**: This challenge doesn't require brute-forcing
21
+
21
22
## Overview of the challenge
22
23
23
24
The challenge is a standard ret2win with a pretty obvious overflow of 0x30 bytes, the binary is compiled without stack canary protection but has pie, with no apparent way to leak addresses.
@@ -26,11 +27,11 @@ The challenge is a standard ret2win with a pretty obvious overflow of 0x30 bytes
26
27
27
28
The intended solution involves performing a partial overwrite to redirect execution to the `win` function. However, the return address on the stack is a libc address. To work around this, we can leverage [vsyscall](https://0xax.gitbooks.io/linux-insides/content/SysCall/linux-syscall-3.html) to traverse the stack until we locate the address of `main`. By modifying its least significant byte (LSB), we can transform it into the address of `win`. When execution returns, `vsyscall` effectively acts as a `ret` gadget, allowing us to redirect control flow to `win`.
0 commit comments