buffer-overflow-0
buffer-overflow-0
Problem Description
AUTHOR: ALEX FULTON / PALASH OSWAL
Description
Smash the stack
Let’s start off simple, can you overflow the correct buffer?
The program is available here.
You can view source here.
And connect with it using:
nc saturn.picoctf.net 53935 **
Write Up
The provided file vuln.c contains the C code running on the server, and the file vuln contains an executable version of the program.
The 2 important parts of the code are the vuln and main functions, as can be seen below.
void vuln(char *input){
char buf2[16];
strcpy(buf2, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler); // Set up signal handler
gid_t gid = getegid();
setresgid(gid, gid, gid);
printf("Input: ");
fflush(stdout);
char buf1[100];
gets(buf1);
vuln(buf1);
printf("The program will exit now\n");
return 0;
}
The program gets input of length 100 from the user, without validating its length.
It then passes the buffer to the vuln function.
The vuln function creates a buffer of length 16, and then copies the original buffer to itself using strcpy, which does not check for length.
If the user input is long enough to cause a buffer overflow the flag will be displayed.
This can be done by passing a value of 16 chars and then several more for good measure.
This can be seen below.
Input: aaaaaaaaaaaaaaaaaaaa
[REDACTED]
This will cause the program to print the flag and exit.
Flag
picoCTF{ov3rfl0ws_ar3nt_that_bad_a065d5d9}**
** Note these are user specific and will not work for you.