Skip to content

Latest commit

 

History

History

chessanalyzer

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

public

public

 
 

setup

setup

 
 

sol

sol

 
 

README.md

README.md

 
 

docker-build.sh

docker-build.sh

 
 

docker-run.sh

docker-run.sh

 
 

README.md

Chessanalyzer

Category: pwn

Author: R3D

Description

Beth had to always write down every move in order to later analyze and improve her game.

We took care of the analysis part. Our software analyzes your moves to help you improve as fast as possible.

Points

150

Solution

Reveal Spoiler

Vulnerability

  1. It provides an information leak opportunity when the move.color pointer is overwritten and the album name is printed.
  2. It provides a write what where primitive when the move.color pointer is overwritten and input is provided to the second prompt.

Exploit

  1. Leak the address of puts@got
  2. Get EIP control
  3. Identify libc and gather offsets
  4. Overwrite puts@got with system

A solution that performs the above steps is provided in sol.py

Run against local docker container
python2.7 sol.py HOST=localhost

Run against CyberRanges (IP might change, so adjust the value of the HOST parameter))
python2.7 sol.py R HOST=192.168.125.11

Run against local binary
python2.7 sol.py