Author: Srijiith
Initial Analysis
This is the main function taken from source code. We have 2 variables, which is a buffer of size 8, and of type . is initialised with the value . User input is read using with the format specifier . Our goal is to overwrite to have value which will result in us getting a shell, which we can use to obtain the flag.
Exploitation
The vulnerability here is caused by using the format specifier with . The issue with this particular format specifier is that it reads input of any size and stores it in a buffer of fixed size. This may cause a buffer overflow, if input size exceeds the size of the buffer.
In this particular challenge this vulnerability allows us to write past the memory allocated for and into . This allows us to modify the value of . We can test the overflow by debugging the binary with and giving an input such as . The first 8 "A"s will fill the buffer. The remaining "B"s will overwrite 0xcafebabe stored in .
Before reading input:
After reading input:
is the hexadecimal ASCII value of "A" and is the hexadecimal ASCII value of "B". Hence it can be seen that we overwrote with our "B"s. Since data is stored in (reverse order for every 4 bytes), in order to get in memory, we have to give input .
Final exploit:
Conclusion
In summary,
- we have 2 variables, which is a buffer and which is an with value .
- use buffer overflow caused by to fill buffer and overwrite to .
- check is passed and we are given a shell with which flag can be obtained.