Cookies are Delicious - CSAW 2015 Exploitation 100 Writeup
CSAW 2015 pwn 100 challenge writeup
The binary prints out the address of the buffer during execution and also presents a blatant buffer overflow with the scanf(
%s). Checking out the binary in gdb-peda showed that NX was disabled. So the scenario I thought was
Buffer overflow with ASLR on
and possible return to shellcode.
But the problem with this method is that a variable resembling a stack-cookie is placed at a higher memory address compared to the buffer. The program, before the epilogue, checks whether or not the value of this stack-cookie has been altered. If it has been altered, then the program calls exit() which renders our overflow useless.
So what we need to do is to overflow the buffer in such a way that the stack-cookie is overwritten with its original value itself. The cookie is at an offset of 128 bytes from the starting of the buffer and it is 10 bytes long.So the only thing left to do is to write a nice python code to do all this for us.
….Aaaand Voila! Shell..
Jayakrishna Menon V