# X-CTF Quals 2016 - b0verfl0w (Pwn)

X-CTF is a capture the flag competition in Singapore organized by NUS Greyhats. The online qualifiers took place over the weekend of 9 - 10 April 2016. Halfway through the competition, we realize that the challenges were solved pretty quickly by the participants, and thus I wrote some new challenges. The following two challenges were by me.

# b0verfl0w

Category: Pwn
Description b0verfl0w is running at 188.166.226.181:4242.

# Solution

So from the name of the challenge, this is an obvious buffer overflow challenge. However, obvious it would not be as simple as a classic buffer overflow. In this case, we’re given the binary without the source code, so first thing to do is to analyze the binary for the buffer overflow vulnerability, and to determine if there are any useful gadgets we can use to build an exploit.

We got a 32-bit ELF executable here.

The vulnerability is very obviously on the name input. There are many ways to continue from here, and what I am writing is just one of the way.

Using GDB with peda, I am able to quickly find the amount of offset required until the EIP register using the pattern search plugin.

So what this tells me is that I’ll have to fill the first 36 bytes of input with junk before filling the 4 bytes with the memory address I’d like the program to jump to.

In a classical buffer overflow, what I’d do is to fill the 36 bytes with shellcode, and then modify the EIP value to jump to where my shellcode is located. However, this is only feasible if (1) I know the memory address of the shellcode, (2) DEP is not enabled and (3) if ASLR was not enabled, it’d be slightly easier to bruteforce the memory address of the shellcode.

In this case, DEP is disabled. However, we do not have any information of the memory layout or the libc addresses (which would allows us to craft a return-to-libc or ROP exploit).

However, upon closer inspection, you will notice that there are some ROP gadgets provided in the binary that could allow us to perform stack pivoting and thus execute our shellcode. Conveniently it’s contained in a function called hint ;).

We see a jmp $esp followed by a ret instruction that would allow us to perform a stack pivot. Memory layout: | Shellcode | Offset | 0x08048504 | Shellcode to perform stack pivoting | At the point when the program jumps to 0x08048504,$esp would be pointing at the start of Shellcode to perform stack pivoting, so what is needed here to do a stack pivot is sub 0x28,$esp followed by jmp$esp again. However, you need to convert the instructions into their respective hex representation. We perform a sub 0x28 because the shellcode + payload + 0x08048504 takes up 40 bytes and we want the next jmp \$esp to jump to the start of our shellcode.

For the shellcode portion, you can use any simple shellcode off the internet.

I wrote the exploit in python and used the pwntools library to simplify the entire exploitation process.
Final exploit:

Running our exploit provides us with a shell. :)

And we have our flag!