Binary Exploitation with Time Guessing

Investigation

./example

Guess the number: 1111
You losed. The correct answer is 1475693029

Guess the number: 12345678
You losed. The correct answer is 8246712747

If we find a binary that asks us to guess the correct time (or time-base number), we can bypass it using a Pipe in command line.

Exploitation

# tr -dc '0-9': Extract the correct number provided by the binary.
echo 1234 | ./example | tr -dc '0-9' | ./example

The above payload inputs ‘1234’ at first, then the binary returns the correct number. tr command extracts this number and passes it the second execution of the binary. As the binary depends on the time, so we can bypass the program by passing the previous answer instantly.

PreviousBinary Exploitation with Race Conditions NextExploitation

Last updated 1 year ago