Article Index


Before we exploit, let's look at what protections are enabled on this binary:


$ checksec beatmeonthedl
[*] '/home/franklin/defcon/babys_first/beatmeonthedl/beatmeonthedl'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)


Absolutely nothing is enabled. Almost a shame really. This means we have no need for that print function, since we don't actually need to leak anything. There are many approaches you could take to exploit it from here. Since NX is disabled and the binary isn't PIE, I figured the easy win would be to do the following:


  1. Write shellcode into some place in the .bss section
  2. Overwrite a function's GOT entry (I chose memset for convenience)
  3. Done


To do these overwrites, simply line up the pointers in your second call to edit the note, then use the appropriate indexes.


My full exploit can be found here.


# The flag is: 3asy p33zy h3ap hacking!!