Author: NightKing
We have been given a 64bit binary file to work with.
Debugging/Decompiling the Binary
Run the chall file on gdb and looking into the functions present in it . {command info functions}
The functions in this challenge that are useful for us are
Lets look at the decompiled code in IDA/Ghidra
The main() function calls lab() first which looks like this.
The Vulnerability
There is a visible buffer overflow here that our string v1[] (character array == string) whose buffer length is 32 so we have a potential buffer overflow here.
To know more about buffer overflows in detail you can watch binary exploitation tutorial videos (Day 1 & Day 2) in the InCTFj Youtube channel Day 1 and Day 2
We have a scanf() vulnerabilty here that we are not checking on the length of the input we will be giving here as input
Coming back !!
Now lets see the other function that was left to be checked which was secretFunction()
Oh wow !! So now in this function we see that we are being guven the flag if this gets executed.
But one thing to observe is its neither called in main() nor it is called in lab().
So lets use the vulnerabilty found to exploit this program and craft the payload.
First we will fill the buffer with the required bytes ie. 32.
payload = b'a'* 32
Then we have to overwrite the rbp with another 8 bytes to reach the rip in the stack frame . So now the payload would look like.
payload = b'a'*32
payload += b'b'*8
Now that we have reached rip we will add the address of secretFunction() to our payload.
So now our final exploit would look like