search

Overflow In The Fl4gtory

hashtag
Description

Overflow in the fl4gtory | 119 points

A pipe in the fl4gtory broke and now everything is overflowing! Can you get to the shutoff() valve and shut the pipe off?

This is the first challenge in the pwn intro series

ncat --ssl overflow-in-the-fl4gtory-0.chals.kitctf.de 1337

Downloads: overflow-in-the-fl4gtory.tar.gzarrow-up-right

hashtag
Analysis

Challenge gives us simplest ret2win challenge.

#include <stdio.h>
#include <stdlib.h>

// gcc -no-pie -fno-stack-protector -o overflow-in-the-fl4gtory overflow-in-the-fl4gtory.c

void shutoff() {
	printf("Pipe shut off!\n");
	printf("Congrats! You've solved (or exploited) the overflow! Get your flag:\n");
	execve("/bin/sh", NULL, NULL);
}


int main() {
	char buf[0xff]; // 0xFF == 255
	gets(buf);
	puts(buf);
	return 0;
}

-no-pie means that addresses will be the same when program is run, meaning remote application has same address. -fno-stack-protector basically allows buffer overflows to happen.

To overflow the buffer we need more then 255 characters, if RIP (x64 Instruction Pointer) is overwritten with address of our choice (shutdown) we can "win"

Let's find padding.

Note: clip directs output to clipboard alias clip="xclip -sel clip"

Now we need return address of shutoff

This can also be found with gdb gdb ./program -> info functions or radare2arrow-up-right r2 ./program -> aaa -> afl

hashtag
Solution

PreviousGNP CTFNextOverlows Keep Flowing

Last updated