PicoCTF 2014 Write-ups

Overflow 1 - 50 (Binary Exploitation)

Writeup by NielsKornerup

Created: 2014-11-10 23:12:49

Last modified: 2014-11-17 20:58:07

Problem

This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.

Hint

Can you overflow into the 'secret' variable?

Answer

Overview

Exploit a simple buffer overflow.

Details

What is a buffer overflow?

A buffer overflow is a simple but dangerous exploit of a program. For the purpose of discussion, let us take the following piece of code:

char buf[16];
strcpy(buf, input);

Seems simple right? The code simply takes our input, splits it into characters, and stores each character in an index of buff. But what happens if we input more than 16 characters? In C, the program will start writing your input to memory beyond the bounds of the array. We can use this to write to variables and in future problems, even change the flow of the program.

Let's get started! If you open the interactive problem solver, you should see a window to the bottom of the page that displays the layout of memory for the program. This is called the stack. If you look carefully, you will see that the memory address for secret is right above the buffer on the stack. This means, using the concept that we talked about earlier, we can simply write A 16 times so that the program starts writing to memory beyond the bounds of the buffer and then 4 more characters to change the value of secret.

As you enter the As, notice that the buffer fills from right to left. Once you have filled the buffer with (16) As, it is time to modify the value of secret.Now we face a problem: secret is an eight digit hex number while it only takes up for slots in the program's memory. Notice how our buffer is filled with 16 values that each are 41. This is because this program's memory is stored using hexadecimal (abbreviated hex) character values. To find the correct characters we can use \x followed by the two digit hex value of the number. Lets try using this to change the value of secret to 0xc0deface, giving us

AAAAAAAAAAAAAAAA\xc0\xde\xfa\xce.

When we run this, the program returns The secret is cefadec0 which is backwards. This is because our input is in Big Edian, not Little Edian which is what the shell server uses. See the problem This is the Endian for more detail.

Let's convert this number to Little Edian (by reversing the order of the hex values) and try again. This is our new exploit:

AAAAAAAAAAAAAAAA\xce\xfa\xde\xc0

Which gives us the shell! Now that we have the shell, all we need to do is run

cat flag.txt

and we get our flag!

Flag

ooh_so_critical