Class 13: Manufacturing Leaks

So today I'd like the daily PWN to essentially be the lecture.

Let's do NON EXECUTABLE STACK from https://247ctf.com/dashboard (under PWNABLES).

The key lessons to play with today are the following:

• You can use your ROP chain to take a second pass
• The PLT table (elf.plt) is a menu of library functions to call
• The GOT table (elf.got) has glibc addresses ready to go for us
• Once we have a known leak we can ret 2 libc

Here the constraints are that we have no-PIE (or an address leak), and a classic ROP-chain setup.

The Auto-PWNer

So now I'll show you a cute thing we built two semesters ago:

Here I'd like to show you how the GOT segment is being cleverly used.