Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
91 lines (65 sloc) 3.18 KB

Binary Exploitation [ Buffer Overflow 1 ]

Hi everyone, today I am going to present my resolution method for the challenge "Overflow 1" of picoCTF. at first, I will do my manipulation locally, then do it in the shell part of the ctf after preparing the environment in which I will perform my manipulations, I'm ready!

for this challenge, we also have a file containing the source of the binary. (in language c) We also have the binary compiled, the binary is also an ELF 32-bit LSB here is the source in language c :

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"

#define BUFFSIZE 64
#define FLAGSIZE 64

void flag() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("Flag File is Missing. please contact an Admin if you are running this on the shell server.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFFSIZE];
  gets(buf);

  printf("Woah, were jumping to 0x%x !\n", get_return_address());
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Give me a string and lets see what happens: ");
  vuln();
  return 0;
}

we can see that the program has three functions. The main function (main) that will eventually call the function vuln. But, a function noted flag is sidelined. But this last one interests us because it contains the opening of the flag.

How are we going?

We know that the main function asks us for a string and the function will then call the function vuln which will printf get_return_address according to the string that we place in input. to start we'll look where the overflow starts

from 79 "A", the address changes. It goes from 0x8048705 to 0x414141. So we will place *76 "A"*and then put the address of the flag function. Eip will point to it and we will have the flag back. we are looking for the help of gdb the address of the flag function

gdb-peda$ p flag
$1 = {<text variable, no debug info>} 0x80485e6 <flag>

and we test everything :

henceforth we have our local flag! we can get the real on the ctf shell !

we have finished! :D

r3qPwn From SinHack [ Lucas R. ]

You can’t perform that action at this time.