Skip to content

Latest commit

 

History

History

buffer overflow 3

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

buffer overflow 3

Author

Sanjay C / Palash Oswal

Description

Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this program to protect against buffer overflows. You can view source here. And connect with it using:
nc saturn.picoctf.net 63257

Hints

  1. Maybe there's a smart way to brute-force the canary?

Approach

I watched this video and changed parts of the code (assuming pwntools updated).

script.py

For script.py, the goal is to brute force the canary. We do this by just looping through a bunch of characters and spamming it on the shell. Each time a correct character is found, the program will print it then terminate. At each correct character, modify line 4 to be one number higher and append the right character to line 5.

exploit.py

Looking at vuln.c tells us the canary is 4 characters long meaning we can stop running script.py once we get 4 characters. We find the canary is "BiRd". When we get to 4 characters, we know the canary and can overflow the buffer. If we run gdb vuln and then disassemble win we can find the address of the win function. After that, we can build the exploit script and run it to get the flag.

Flag

picoCTF{Stat1C_c4n4r13s_4R3_b4D_f7c1f50a}