Open in app

Sign in

Write

Sign in

Shell this! DownUnderCTF Buffer Overflow

Musyoka Ian
5 min readSep 24, 2020

--

Hello guys back again with a second buffer overflow article this time will be tackling shell this. A buffer overflow challenge from DownUnderCTF. It is a beginner friendly challenge and even with little knowledge on buffer overflow you can be able to tackle the problem with much ease. Without much say let’s jump in

Looking at the challenge we have been given hints that the binary might be vulnerable to a remote code execution. This means that we can be able to run system commands from a remote system and we have also been given some connection details. And looking at the screenshot below we can see that only 340 teams managed to solve the challenge and there were over 800 teams participating. This shows how much binary exploitation is actually a hard topic

Also the CTF is kind enough to give us a binary that we can analyze and also the source code of the application

First thing i did was download the binary to my local box and next i decided to take a look at the source code of the application

Looking at the source we see that the binary vuln function is vulnerable to a buffer overflow since it uses gets which does not keep track of input given by a user

But we also see another function called get_shell that can be used to spawn a system shell on the target but funny enough the function has not be added to the main function of the binary meaning during execution if the program the function is not called. Meaning you have a shell on the program but no way to call it

Not yet anyway 😃

Let’s execute the binary and see what we see. First we have to mark the binary as an executable

Next we execute the binary and then pass it some input

Looking at the program we see that after passing it some input we just get an output saying

Unfortunately, you did not win. Please try again another time!

What if we pass it a lot of characters?

Looking at the screenshot below we get a segmentation fault

So we are sure that the binary is vulnerable to a buffer overflow but after how many characters are we going to start overriding RSP ?

For this will use GDB with peda extension

I loaded to binary to gdb and tried to find the security features that the binary has using the checksec function

Looking at the above screenshot you can see that NX is enable this basically means the binary stack has a non executable bit meaning we can’t just drop shellcode and then executes. PIE is disabled meaning all the memory addresses inside the binary will not be randomized which makes the job for us a whole lot easier

Using pattern_create i created a pattern of 100 characters

Then i ran the program again and passed it the characters

Looking at the output we see that the program crashed on a return function

Because of this i decided to look at RSP which basically is the stack pointer

Inspecting the RSP we see that the program crashed after 56 character input

Meaning after 56 characters which basically is the padding then we add a memory address we would cause the program to jump to that memory address

What if we cause the program to jump to the get_shell function of the program?

If we could cause the binary to jump to that get_shell function we could get a shell on the system even if the function was not called in the main function of the program and that’s how the vulnerability arises

So let’s begin crafting the exploit using python

First in our payload we need to set up the environment this will enable pwntools to know how to format memory addresses

Then create a connection to the socket using remote feature of pwntools

Now we need to find that memory address of the get_shell function using the command

getshell = shellthis.symbols.get_shell

Next we now craft our payload

Now that our payload has been crafted we just need to send it to the system and hope that we get a shell

After sending the payload i added a line

connection.interactive()

This tells pwntools that after it had send the payload not to wait for anything else but drop us to a shell

I then saved the payload and executed the exploit

Looking at the above screenshot we got a shell on the system

Let’s now read flag.txt

And we have the flag

DUCTF{h0w_d1d_you_c4LL_That_funCT10n?!?!?}

Sweet. And we are done hope you guys have enjoyed reading the article if so clap for me down below and don’t forget to follow me so that you don’t miss any upcoming articles

Downunderctf
Buffer Overflow
Shellthis
Ctf Writeup

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

764 Followers
5 Following

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams