Vortex 13

Continuing the series of vortex here[1]. This is Vortex #13.

1: vortex 12

(Inconveniences)
How big is your shellcode? This level has a non-executable stack. You must login to vortex.labs.overthewire.org to complete this level.

okay so we grab the binary and take a look we see two functions.

so this is a format string and the string allowed is 0x14 bytes long. Also we are only allowed to use specific characters. The allowed characters are

'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789%.$'

We need to control the execution. So after the loop we have free we can overwrite it's got and control the execution but as you know we're only allowed to use 0x14 and that's not enought for a nice two-write, writing the first two bytes of free then second two bytes something like %Xx%114$hn%Yx%115$hn but that's not enought. Also all environments, and arguments are zeroed. We still can use AUXV to put our shellcode/data there, but we need to control the execution now. Another way to do it is with a one write by writing some saved frame pointer to do a ROP, so from vuln() we overwrite the saved ebp so when it leaves and returns to main we make it point to AUXV controlled data and we can do rop from there.

exploit

and...

Proxied content from gemini://0x80.org/gemlog/2014-09-25-vortex-13.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2014-09-25-vortex-13.gmi
Status code
20
Meta
text/gemini;lang=en-US