InCTF Jr 2022
August - November, 2022

# Quizz

Medium Pwn

#### Initial Analysis

The challenges has three questions that needs to be answered. The initial questions are integer overflow and the third question is integer overflow that triggers a buffer overflow vulnerability .

• Initial steps to analyize the binary   Conclusions from initial check::

1. 32 - bit binary
2. Not stripped
3. All migitations are disabled
4. The presence of `win` function that can get us a shell.
• Source code

#### Integer overflow

When the result of an integer operation does not fit inside the allotted memory space, it is referred to as an integer overflow. Rather than a small error in program, it should be considered as a bug that can be exploited to alter the course of normal exceution of program.

#### quiz1

On analysing the source code, one would understand that we have to somehow find a number that when added to `4294967295` would give us `0`. The basic common sense would be to give `-4294967295` as input. But doing it would result in error. This is because in C language the range that is reserved for storing the int [data type] is `-2147483648` to `2147483647`. So, giving `-4294967295`, won't work.

So moving onto our question,this question has the most classic example of integer overflow.

The range of values that can be stored for an unsigned integer in 4 bytes is `0` to `4294967295[0xfffffff]`.

Data typebyterange
unsigned int40 - 4294967295

So if u add `1` to it, it wouldn't become `4294967296`, instead would result in an overflow ::`1 + 0xfffffff = 0x100000000`. But the additional bit is disregarded, thus resulting in 0. #### quiz2

On analysing the code one would understand that we have to find a number that when multiplied with 16 would give me `0` but shouldn't be `0` itself. As said before the range of signed integer is from `-2147483648` to `2147483647`, so we can give `268435456` . #### quiz3

From main()

On analysing the code,one can see that the length of the input is being checked. Only if it is equal to `6`, one can reach the buffer overflow vulnerability that is present in `strcpy`. On overflowing,we get code execution so we can do a ret2win and that would give us a shell. But if we were to give an input with length `6`, we wouldn't be able to overflow since the array is of size 23.

Now we need to find the vulnerability in any functions in quiz3 using which we can somehow overcome the length barrier. The bug is that the result of `strlen(input)` is converted to a byte. So here if we were to give `0x106`, then `strlen` will return `0x06`, thus passing the length constraint.

Now we can give an input of length `0x106` and in that input we could overflow the variable `inp_buff` and ret2win.

Now we need to get the buffer value and address of `win` function.

Now putting all of this together, we get the exploit as:: 