Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
73 lines (51 sloc) 2.17 KB

Binary Exploitation, Overflow 0

Hi everyone, today I am going to present my resolution method for the challenge "Overflow 0" of picoCTF. at first, I will do my manipulation locally, then do it in the shell part of the ctf after preparing the environment in which I will perform my manipulations, I'm ready!

the files give for this challenge are a binary [ELF 32-bit LSB executable] and the source of the binary in c. Source c:

#include <stdlib.h>
#include <string.h>
#include <signal.h>

#define FLAGSIZE_MAX 64

char flag[FLAGSIZE_MAX];

void sigsegv_handler(int sig) {
  fprintf(stderr, "%s\n", flag);
  fflush(stderr);
  exit(1);
}

void vuln(char *input){
  char buf[128];
  strcpy(buf, input);
}

int main(int argc, char **argv){
  
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
    exit(0);
  }
  fgets(flag,FLAGSIZE_MAX,f);
  signal(SIGSEGV, sigsegv_handler);
  
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  
  if (argc > 1) {
    vuln(argv[1]);
    printf("You entered: %s", argv[1]);
  }
  else
    printf("Please enter an argument next time\n");
  return 0;
}

we can see that in the main function of the binary (main), the binary will open the flag.txt if we exceed the value of flag is 128 bytes. Let's test:

it's good, we can recover the real flag with the shell :D

And we have the flag ! :)

r3qPwn From SinHack. [Lucas R.]

You can’t perform that action at this time.