Letssplitturtles.part02.rar (2024)

: Using the leak obtained previously, the payload had to account for specific register offsets. Payload Structure :

: A 64-byte ( 0x40 ) buffer of null bytes provided a safe landing zone for the program's internal processing. LetsSplitTurtles.part02.rar

This write-up covers the second part of the challenge from CSAW CTF, focusing on the exploitation of a recursive data structure to achieve code execution. Challenge Overview : Using the leak obtained previously, the payload

The "Turtles" challenge involved a program that processed nested structures (turtles). Each "turtle" contained pointers to other turtles, creating a complex chain. The objective for Part 2 was to transition from the initial memory leak (achieved in Part 01) to a controlled "magic gadget" execution. Technical Analysis Technical Analysis The exploit was verified using to

The exploit was verified using to step through the turtle traversal logic. A critical finding during this phase was that the RBP (Base Pointer) register did not land at the expected offset, requiring a slight adjustment to the slack space to ensure the magic gadget was reached successfully.