資訊

Question: Buffer overflow 0
From: picoCTF Binary Exploitation
Difficulty: 100 points

題目

Let's start off simple, can you overflow the correct buffer?

Additional details will be available after launching your challenge instance.












































#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

#define FLAGSIZE_MAX 64

char flag[FLAGSIZE_MAX];

void sigsegv_handler(int sig) {
  printf("%s\n", flag);
  fflush(stdout);
  exit(1);
}

void vuln(char *input){
  char buf2[16];
  strcpy(buf2, input);
}

int main(int argc, char **argv){
  
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }
  
  fgets(flag,FLAGSIZE_MAX,f);
  signal(SIGSEGV, sigsegv_handler); // Set up signal handler
  
  gid_t gid = getegid();
  setresgid(gid, gid, gid);


  printf("Input: ");
  fflush(stdout);
  char buf1[100];
  gets(buf1); 
  vuln(buf1);
  printf("The program will exit now\n");
  return 0;
}

解法

概念

從程式碼來看，能夠印出 flag 的條件是讓程式發送 SIGSEGV，而這是在發生 segmentation fault 時才會有的情況，因此在後面 40 - 41 行時我輸入很多字元，想辦法蓋掉不該蓋的東西就好

如上圖，成功得到 flag 為 picoCTF{ov3rfl0ws_ar3nt_that_bad_ef01832d}

資訊

目錄

題目

解法

概念

Read more

Dear Diary

78. Subsets

Super SSH

Format string 0