.png)
6 months ago
45 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello again guys. I’ve been quite busy the last month doing exams and starting a new job. But, last weekend we got back at it and this time diving into binex. I’m by no means an expert here I am just starting my journey so feedback would be much appreciated on this one. Feel free to follow me on Twitter as this is where I will be posting some other stuff. Link below, now lets begin.
https://twitter.com/Warlok_x00
This will be a walk through of the challenge clutter-overflow on the website PicoCTF found at the link below
https://play.picoctf.org/practice?category=6&page=2
What I will be using for this is:
Sublime text (Any editor will do)Pwn tools (Make sure you install this with pip)GBD (This can be found on kali linux by default but you can always download this too)Metasploit frameworkAfter downloading the binary and source we are ready to begin. First, lets give the binary execute permissions with chmod +x chall and now we run the binary to see what we are working with.
Okay looks like we have a input field we can put some text in. Lets just add “Boogsta” and see what it says.
It looks like the app is checking to see if what we entered is equal to “0xdeadbeef”? Well not exactly, if we type just 0xdeadbeef into the binary we would get the same error. This is because it is checking to see if the “rbp” register is equal to “0xdeadbeef” and we can’t write to it without overflowing our buffer. This is where GDB comes in we are going to use this to debug the binary and find how many bytes it takes to overflow the buffer.
We are going to use a tool called pattern_create that comes with the metasploit framework. This will generate a string of bytes we will input into the application in hope we can overflow the buffer.
To use this, we do the following command to generate a string of 500 bytes long
/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 500 > patternWe also write the string to a file so we can later use it with gdb. Now we want to start gdb and attach the binary to it for debugging. We can do this simply with doing the command:
gdb challWhich will start gdb and attach the binary as mentioned. You should now see something like this
Now, remember the pattern from before? We want to run that against the binary to do this we do the command:
r < patternAfter running, we see we have got a seg fault!
Now to start the analysis we can start looking at the registers and what data they hold. We do this with
info registersInside of GDB. When we run this command we get the following screen
We can also see that the line “code ==” now also doesn’t equal to 0x0 anymore instead it is a large hexadecimal. We can also see in our registers we have one that is a lot different to the rest of them, this being the RBP register we mentioned earlier. This reads 0x41326a41316a4130. This is what we need to find out the offset that we overflowed our buffer at. We are going to use another metasploit tool called pattern_offset.rb which will calculate this for us.
The command to do this is
/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q 0x41326a41316a4130Which will display
Great! So, now we know our offset is 272, which means sending 272 bytes will overflow our buffer. But we also need to point the register to equal to 0xdeadbeef?
This is where a big of math comes in. To overflow our buffer, we know we need to send 272 bytes, however, each character in 0xdeadbeef is 1 byte of data so it equals to 8 bytes as we don’t include the “0x” so we now have to do 272–8 = 264. This means we need to send 264 bytes of data plus the 8 bytes of deadbeef for the RBP register to read 0xdeadbeef. Little confusing but don’t worry we will go over the exploit code now.
To start load up sublime or your chosen coding environment, and import the pwn module
from pwn import *Now we want to set the binary as our target, to do this we want to do the following
connect = process('./chall')This will start our binary as a local process. Now we need to add our padding so we can get to the overflow. We want to send 264 bytes so we will just be sending 264 A’s
padding = b'A' * 264Next, we need to add our deadbeef bytes. However, we need to keep in mind our formatting. We need to use little-endian format which means we want to write our value backwards.
rbp = b'\xef\xbe\xad\xde'Next, we will be creating our payload variable which will be simply concatenating the padding and rbp variable together
payload = padding + rbpOur input prompt is on a new line. To specify this in python we use \n this is important as we want to send our payload after we receive the new line character from the binary to do this we do the following
connect.sendlineafter(b'\n', payload)Once our payload has been sent, we want to receive our data we got from the binary, this can be done with
output = connect.recvall()Finally, we print out our. This is quite self explanatory
print(output)The full exploit should look like
Finally, we need to test out our payload. Remember to also create a flag.txt file in the same directory as our binary and we can then run the exploit with python exploit.py we should see the output below
At the end of the data we get the local flag! Now all that is left to do is change the line
connect = process('./chall')to
connect = remote(host,port)We also need to create two variables called host and another called port and this will be set to the hostname and the port that pico ctf gives you. The final exploit code should look like
Thanks for reading :)
Bengali (Bangladesh) · 
English (United States) ·