PwnCollege - IS ECB-to-Shellcode (hard)

Post author: vkkkv
Post link: <a href="https://vkkkv.github.io/wp/PwnCollege/PwnCollege-is-ecb-to-shellcode-hard/" title="PwnCollege - IS ECB-to-Shellcode (hard)">https://vkkkv.github.io/wp/PwnCollege/PwnCollege-is-ecb-to-shellcode-hard/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2026-03-20 In ctf Views: Disqus:

同 easy 版本的 ECB oracle + shellcode 注入，但没有 stack dump，需要手动逆向 offset。

Analysis

1	r2 -A -q -c "pdf @ sym.challenge" /challenge/vulnerable-overflow

关键溢出点：

; plaintext struct 起始于 s1 = rbp - 0x70
│           0x004016d3      lea rsi, [s1]           ; rbp - 0x70
; message buffer = s1 + 0x10 (跳过 header + length)
│           0x004016d7      add rsi, 0x10           ; rbp - 0x60
; buffer overflow
│           0x004016e1      call sym.imp.EVP_DecryptUpdate

message buffer: rbp - 0x60
saved rip: rbp + 0x08
offset = 0x60 + 0x08 = 104 bytes (与 easy 版本相同)

Exploit 完全相同，只需对应修改 buffer 地址即可。实际上因为栈地址固定且相同，exploit 代码可以直接复用。