CSAW CTF Qualification Round 2013 - Exploitation 200 Writeup
The task gave us a binary which had a classic buffer overflow vulnerability but with a sort of canary protection. The vulnarability was in handle() function here:
recv(fd, &buf, 0x1000u, 0);
The canary was generate randomly with a time() as seed, so bruteforce is not the way. But just have a look at the source for get it:
v1 = time(0); srand(v1); v2 = rand(); secret = v2; v6 = v2; *(_DWORD *)&buf = &buf; send(fd, &buf, 4u, 0); send(fd, &v6, 4u, 0);
As you can see the program provide the canary itself writing v6 on the socket. So now just exploiting, here is the code:
The shellcode is a common reverse shell that backconnect to your machine on the port you specified. But this is not enough infact if you tried the server will not backconnect this because you have to loop it till it backconnects.