Buffer Overflow 1 | PicoCTF done by Ishara Abeythissa

buffer overflow 1

Points: 200

Category

Binary Exploitation

Question

Okay now you’re cooking! This time can you overflow the buffer and return to the flag function in this program? You can find it in /problems/buffer-overflow-1_3_af8f83fb19a7e2c98e28e325e4cacf78 on the shell server. Source.

Hint

This time you’re actually going to have to control that return address!Make sure you consider Big Endian vs Little Endian.

Solution

Before looking at the source code, we can run the program first.

As we can see when we input some data into this application it gives us memory address that returned

0x80486b3

Let’s review source code of this application that given by site

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include “asm.h”

#define BUFSIZE 32
#define FLAGSIZE 64

void win() {
char buf[FLAGSIZE];
FILE *f = fopen(“flag.txt”,”r”);
if (f == NULL) {
printf(“Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n”);
exit(0);
}

fgets(buf,FLAGSIZE,f);
printf(buf);
}

void vuln(){
char buf[BUFSIZE];
gets(buf);

printf(“Okay, time to return… Fingers Crossed… Jumping to 0x%x\n”, get_return_address());
}

int main(int argc, char **argv){

setvbuf(stdout, NULL, _IONBF, 0);

gid_t gid = getegid();
setresgid(gid, gid, gid);

puts(“Please enter your string: “);
vuln();
return 0;
}

As i mention above in bold these are the function using mainly here and after we input data into it pass the memory address into vuln() function and in there shows the memory address that return after execute this app. and also strcpy (), strcat (), sprintf (), vsprintf (), gets() these functions are vulnerable for buffer overflow in C. so in vuln() method we can see it using gets() object to take buffer in array. so let’s overflow it :)

The return address has been overwritten to 0x41414141, which is the hex value of A. As long as we can find the correct amount of padding, we can control the where the return pointer returns to.

We can use the De Bruijn sequence, which will find the padding we need. We will use pwntools in python

now we can use this strings as input

Now application jump to memory address 0x6161616c. First we convert the hex back into ASCII. Remember that this is in little endian format. p32() just converts the hex back into ASCII in little endian format.

Now we know the amount of padding required. Let’s test it again, with 44 ‘A’s, and another 4 ‘B’s. We should expect the address to show 0x41414141.

Now we found out limit of buffer and the way to overflow it

Let’s use this payload to return win function in this application

Created payload and now let’s overflow it :)

it’s worked. Now we go to remote shell and try to exploit original application

We got flag :)

Hope you enjoy and keep in touch for more stack & heap overflow articles.

Happy hacking :)