Hi,
i am sitting at this little challenge from university for quite a while. I read several guides/tutorials and followed their given examples to dive in topics about buffer overflow exploitations.
``` #define _DEFAULT_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#include <math.h>
int a, b;
char correct[0x40];
int main()
{
FILE *fp;
char buf[0x40];
int auth = 0;
setbuf(stdout, NULL);
alarm(M_PI);
srand(time(NULL));
a = rand() % 0x8000, b = rand() % 0x8000;
printf("%#x + %#x = ", a, b);
if (!gets(buf)) exit(1);
if (a + b != strtol(buf, NULL, 0))
exit(0);
if (!(fp = fopen("password.txt", "r"))) exit(1);
if (!fgets(correct, sizeof(correct), fp)) exit(1);
if (*correct && correct[strlen(correct) - 1] == '\n')
correct[strlen(correct) - 1] = 0;
if (fclose(fp)) exit(1);
printf("Password: ");
if (!gets(buf)) exit(1);
if (!strcmp(correct, buf))
auth = 1337;
if (auth ^ 1337)
exit(0);
printf("\x1b[32mCongratulations! You win!\x1b[0m\n");
execl("/bin/get_flag", "get_flag", NULL);
}```
(I erased some printf-lines which shouldn’t be crucial for this, e.g. the e-mail address of the tutor…)
This is the source code of the mentioned challenge. The task is to circumvent the password check.
A friend told me that the file “password.txt.” and the array “correct” lie at the server, so it should be nothing i should care about.
When connected to the server via netcatn, it’ll ask to add two (random) hexadecimal numbers within few seconds. After the time limit, gdb tells me that the program terminates with signal SIGALRM, Alarm clock.
0xfff + 0xd4 =
Program terminated with signal SIGALRM, Alarm clock.
The program no longer exists
Moving to my idea what I think should be done to avoid the password check.
As the title tells, exploiting a buffer overflow would be my suggestion. When the program asks for a solution concerning the addition of those two numbers, I think that, if I enter a String that is long enough and contains the address of the second last code line (the printf() function), I could skip everything that causes the program to reach exit().
First of all, would this be a correct solution? Or am I missing something?
I took a look of the dump of assembler code with gdb and figured out that 0x50 bytes are reserved for char buf[0x40] (i guess)
0x0804872a <+15>: sub $0x50,%esp
I tried entering very long Strings but the program keeps exiting normally.
[Inferior 1 (process 30719) exited normally]
I am pretty unexperienced/new, but interested, in this stuff, so this task is a bit hard for me. I have basic knowledge in C, Python, Assembler and in the way the stack and registers work/look like. Most important for me is to know, if I am on the right path to the solution.
Oh and i am running on (Arch) Linux 64 bit and compiled the code with gcc -m32, if these information are important.
Thanks in advance!
PS: English is not my native language, just ignore any grammatical mistake
