¶ 2025-03-07 - Buffer Overflow / Ropchain
¶ Overview
Date: 2025-03-07
Time: 6pm-##:##pm
Location: GH224
Host: Zack Sargent
¶ Meeting Content
Today, we're going to prepare and practice binary exploitation and reverse engineering.
Want to get really good at this?
- Here's an outline of all the things you need to learn.
- Here's an outline of all of Cyber Security
We are barely scratching the surface today.
¶ Download tools
First, download Ghirda or Binary Ninja. I recommend Binary Ninja.
- Download Ghidra
- Download Binary Ninja (not great for Challenge 1)
¶ Challenges
Our goal here is to practice decompiling a binary, and understanding how it works.
This is a very common set of tools to know for CTFs.
These challenges get progressively harder.
¶ Challenge 1 (crackmes.one : "Loz's Password Login")
(We did this on 2025-02-07)
Download the Binary Binary Ninja is bugged, and doesn't work for this one. Use Ghidra instead.
This challenge is from crackmes.one.
All .zip files download from this website will have the password crackmes.one.
Your goal is to download the binary, understand how it works, and then get the output "Login successful".
I now recommend using Binary Ninja, although my old solution uses Ghidra.
Stuck? Check out the solution here!
https://crackmes.one/static/solution/6295179a33c5d45b75903bcc.zip
¶ Challenge 2 (kablaa/CTF-Workshop : "BOF2")
Your goal is to download the binary, understand how it works, and then get the output "you win!".
Procedure:
- Download the binary (above)
- Analyze the decompiled code with Binary Ninja
- Figure out how to exploit this code by writing a script with pwntools
- Hints: Buffer Overflow,
p32(addr),sendline()
- Hints: Buffer Overflow,
It is recommended that you write a script with pwntools to get the output.
This is the more general approach, which would work even if the binary was accesible over a server.
Patching the binary is the easy way out.
Stuck? Check out the solution here!
¶ Challenge 3 (CyberSword : "Ropchain 1") Optional
Learn about RopChain from CyberSword: https://ctf.nkcyber.org/ropchain-1/ (GitHub)
This is useful if you're not familiar with RopChains, and want to work through a simple example.
Stuck? Ask Zack for help.
¶ Challenge 4 (BearcatCTF : "Calling Convention")
Prompt:
You've almost got a good grasp on this. Time to think past your function variables.
Make Mudge proud
Files:
Stuck? Check out the solution here!
¶ Attendance
TBD