Sheet 2

General Information

Make sure you have read and understood everything in Exercise Requirements and Grading Guidelines!

Remember to put a block comment at the beginning of the solution file for each task, describing the vulnerability (including relevant addresses or instructions) and your general plan how to exploit it.

The deadline for this sheet is 2026-05-17 22:00:00 UTC

Task 5 – Shellter your code! (4 Points)

We finally removed the unnecessary code that you might have found in the previous task! Is our new binary shellter_your_code still exploitable?

Again, edit the provided solution template to make it exploit the binary and print (only) the flag!

Your solution should execute like this:

1
2

$ ./solution
FLAG{some letters and digits}

Task 6 – Leak (8 Points, individual Task)

In this task we enabled all the nice exploit mitigations (see for yourself with checksec¹)! Try to exploit the binary with information that you extract “forcefully” from the binary!

Once again, edit the provided solution template to exploit the binary leak and print (only) the flag!

Your solution should execute like this:

1
2

$ ./solution
FLAG{some letters and digits}

Hints:

• Do not hardcode addresses. GDB disables ASLR. It’s a trap!
• How can you prevent random nullbytes from messing up your exploit?

Task 7 – Forking Server (12 Points)

In this task we enabled all the nice exploit mitigations (see for yourself with checksec)! Try to exploit the forkingserver with all the know-how you got!

Edit the provided solution template to exploit the binary forkingserver and print (only) the flag!

Hint: This time you have to brute-force, twice! 😎

Your solution should execute like this:

1
2

$ ./solution
FLAG{some letters and digits}

Task 8 – ROP ROP ROP ROP ROP (8 Points)

This time there are two binaries: vuln and execute_me_with_rop. There is a simple vulnerability in vuln.

Your task is to build a ROP chain that executes execute_me_with_rop so that it prints the flag.

Use the execve system call and prepare all necessary arguments accordingly.

You must not use pwntools' pwnlib.shellcraft for this exercise!

You must also not just execve("/bin/sh -c './execute_me_with_rop arg1 arg2'") for the execution of execute_me_with_rop!

Once again, edit the provided solution template and explain your approach with meaningful comments!

Your solution should execute like this:

1
2

$ ./solution
FLAG{some letters and digits}

Hints:

• Here is a C program which executes execute_me_with_rop to print the flag:

1
2
3
4
5
6
7
8
9

#include <unistd.h>

int main()
{
  char* argv[] = { "./execute_me_with_rop" , "foo", "bar", NULL };
  char* envp[] = { "PABE=FUN",  NULL };
  execve("./execute_me_with_rop", argv, envp);
  return 0;
}

• Have a look at the Hello-World ROP chain in order to build your ROP chain
• Make sure your look for gadgets in the container’s libc!
  • Either use the helpful function we provided or try out a tool like ROPgadget, which you can find pre-installed in the container