Pwnable.kr — bof
What’s going on aspiring hackers, this is shellbreak, and today we’ll be doing a simple buffer overflow (bof) challenge from :
pretty straightforward challenge, we have the vulnerable C code and the compiled binary.
Breaking down the code:
Looking at the code:
looks pretty simple code, which contains two functions,
the main function and a function named func().
The main() basically calls the function func() giving key the value of 0xdeadbeef.
The func() function takes a variable as a parameter called key, and starts by creating a variable named overflow mewhich is nothing but a string with a length of 32-bytes, then it prints “overflow me :“ to the console and gets input from the user withgets()function. After that, it compares the key variable to the value 0xcafebabe, if the value of the key is equal to 0xcafebabe (in this case, it’s not going to be), then it spawns a shell, otherwise, it just prints “Nah..” to the console and then exits.
Examining the Binary, Exploitation:
First, let’s run the binary and give it a simple string to see what’s going to happen:
and we got “Nah..” message, now let’s try to run it again but this time I’ll give it a longer string to see what’s going to happen ;)
And we got “*** stack smashing detected ***” message, and then the binary crashed.
Important things to notice here, we don’t want to overwrite the EIP value here, all we need to do is to change the value of the variable key. So giving the program a pattern and finding the offset won’t help because we need to know where 0xdeadbeef is located on the stack.
Now it’s time for gdb. I started gdb and set a breakpoint at the beginning of the main function (break main), then I started the program with run
It stopped at the breakpoint we set. Now we need to disassemble the function func with the command disas func :
we can see the cmpl (Compare Logical) instruction at the address 0x56555654
0x56555654 <+40>: cmpl $0xcafebabe,0x8(%ebp)
let’s set a breakpoint right before it:
Now let’s run the program again with run command, and continue the execution with the command continue :
I gave it a short input because we don’t need to crash it and overwrite stuff on the stack, we just need to look at the stack during a normal execution to locate 0xdeadbeef.
After hitting the second breakpoint let’s look at the stack :x/40wx $esp
As you can see 0xdeadbeef appears in the row right after 0xffffcef0 , and our input appears in the last row in front of 0xffffceb0 , now we need to calculate the distance between our input and 0xdeadbeef to overwrite it with the key value to spawn the shell, and as you can see we got 52 bytes(starting from the last row in front of 0xffffceb0 until the row where 0xdeadbeef is stored ) to fill until we get to the address where 0xdeadbeef is stored to overwrite it, so I’m going to use python pwntools to create the exploit and spawn the shell.
pretty simple exploit but, it’s going to give us shell access on the box, thus read the flag.
Breaking down the exploit code:
- The first statement is just to tell the shell which interpreter to use to run this script
- In the second statement, we import the pwn library to use its functions in our exploit
- The
payloadvariable contains the data we’ll be sending to the binary: it’s nothing but a string that contains 52 As and the value we want to overwrite0xdeadbeefwith. (Note: it’s written in little-endian format) - The
shellvariable is to initiate communication between us and the host. - Then we send the payload with the
send()function - Finally, we get an interactive shell with
interactive().
Now comes the fun part, let’s test our exploit and see if we can get a shell on the box:
And indeed we got a shell on the box and the flag is:
daddy, I just pwned a buFFer :)
And that was the challenge, I hope you guys enjoyed it, hopefully, I’ll be making more write-ups aboutBuffer overFlow andHackTheBox retired machines.
Feedback is appreciated!!
Twitter: https://twitter.com/0xShellbr3ak
Github: https://github.com/shellbr3ak
