[ALERT]Have you got stuck? Need Help? Join our discord server, ask your doubts & get support from our experts.

Join Discord Now

[ALERT]Need Help? Join our serverDiscord

Writeups

0verclock

Medium Pwn

Open Challenge

Author: Srijiith

Initial Analysis

This is the main function taken from source code, decompilation of the binary should yield something similar. We have a variable of type , a variable of type and a variable which is a array of length 24. User input of type is read into . Then is incremented by .

Then there is a check to make sure is lesser than 24. This is to make sure that the next input being read is always of length lesser than 24 since is of that size. This check is to make sure that there is no buffer overflow caused.

Exploitation

What is an integer overflow? Integer overflow occurs when you perform arithmetic (like additon) on a number in such a way that its value cannot be stored in the memory allocated to it. It can cause unintended behaviour and usually leads to other bugs. For example, in on 64 bit, a variable of type is allocated 4 bytes (32 bits). The maximum value it can store would be (2^32-1) and the minimum, . If you add to a variable with the maximum value, it would just become since it will ignore the 5th byte required to store the larger number.

The vulnerability here is that is of type . If we could get to be a negative integer (like ) by causing an integer overflow using the addition with our input, then it would pass the check. However read expects the 3rd parameter (size) to be of type . Suppose we get to be , then it will be represented in memory as which is when interpreted as . This would cause a buffer overflow since we will be able to write past the 24 bytes allocated to . Using the buffer overflow, we can get RIP control to return to the function provided in the binary, which will give us the flag.

But how do we get to be ? We can abuse the addition done on with our user input. Lets aim to get to be . Since our input is of size , we can't give negative numbers, so we will have to cause an integer overflow. Initial value of is (10) in hexadecimal. is represented as in hexadecimal. Therefore for to be , (our input) will have to be => => (when represented as ).

Here is the final exploit:

Conclusion

In summary,

cause integer overflow on abusing the additon with our input.
buffer overflow is caused by integer overflow.
use buffer overflow to return to which gives us the flag.

// CONTINUE EXPLORATION

Workshops

Attend Free Training Workshops

FAQ

Answers to common questions

Videos

Videos to help get started

bi0s Wiki

Learn fundamental concepts

Practice Challenges

Prepare solving challenges

Promote

Promote InCTF Junior

Join Discord Server

Get help from our community