Credit to Ryan
The first thing we did for this challenge was to look at the program headers:
From the headers we can see that the stack is given read, write, and execute permission therefore assuming the stack has enough space and we can overflow the buffer, we should be able to place and execute shell code on the stack. Looking at the assembly in IDA pro we see a few interesting lines.
From the assembly we can calculate what the stack will look like at run time:
As we can see the assembly the program is going to do the following:
1. Create a random canary value and save it into VAR_C
2. Send the address that tops to the top of BUF
3. Send the canary value
4. Send the following string “Welcome to CSAW CTF. Exploitation 2 will be a little harder this year. Insert your exploit here:”
5. Receive 4096 bytes and store them in BUF
6. If the canary value has not been changed return else exit the program
So the program is reading up to 4096 bytes into a 2048 byte buffer. We have a known address that points to the top of the buffer and we have the canary value. So we need to write an exploit program that will send the shellcode + canary value + buf address to get the flag.
Flag = 53666e040caa855a9b27194c82a26366
Link to solution code: https://github.com/IAryan/CTFSolutions/tree/master/CSAW/2013/Exploit_200