1

I am working on a CTF and have a piece of software written in C but not the source code. I am trying to do a libc buffer overflow using printf. GDB has given me the pointer to the shell and libc system. However I cannot find the size of the buffer for in the input.

I have tried brute forcing by manually entering enough input (let's say 50) to cause an overflow and segfault. However, when stepping through each call function using break points and x/500xb $esp I cannot find my input value (0x11) in the memory display. If I go through all the call breaks, it finishes without an error (using less than 50 input chars). I want to understand how I can find the beginning memory location and total size of this buffer that reads in the input.

I can see the printf command in GDB with disas main but when placing a break after it, there is no data written at that point.

Yu Hao
  • 119,891
  • 44
  • 235
  • 294
hexadec0079
  • 323
  • 3
  • 5
  • 1
    Can you inspect the generated assembly? That might give you enough of a hint. You can get assembly debuggers, although the learning curve is steep (I'm still at the bottom). – Bathsheba Sep 18 '18 at 10:11
  • Just to update: I think I have all the other components (EIP and EPB as well as the libc and bin/sh location in memory). Tried fuzzing the input some more with no luck. My encoding scheme is below: 0x11 {repeat 50 times to cause segfault exit} Little endian encoded libc system location, then the exit location, and finally the /bin/sh location – hexadec0079 Sep 18 '18 at 10:28
  • Have you ruled out the possibility that your buffer isn't in the stack because it is dynamically allocated or it sits in .bss section because it has been declared _static_ ? – Sydney Hauke Sep 22 '18 at 16:53

0 Answers0