69 lines
2.6 KiB
Markdown
69 lines
2.6 KiB
Markdown
+++
|
|
date = '2025-04-28T12:00:00+02:00'
|
|
draft = false
|
|
title = 'Crash override'
|
|
tags = ['pwn']
|
|
+++
|
|
|
|
This challenge is funny and I've never seen it before it was really easy once I turned on my brain and realised that the solution isn't supposed to work on my local system without the provided container and that I should try on the remote.
|
|
|
|
So we get a file and the usual nc command, as always lets fire up ghidra and see what we're dealing with.
|
|
|
|
```c
|
|
int main(void)
|
|
{
|
|
int iVar1;
|
|
char input [64];
|
|
|
|
signal(0xb,on_segfault);
|
|
printf("What is the password?\n?: ");
|
|
fflush(stdout);
|
|
fgets(input,0x80,stdin);
|
|
iVar1 = strcmp(input,"password\n");
|
|
if (iVar1 != 0) {
|
|
puts("incorrect password");
|
|
fflush(stdout);
|
|
}
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
This looks like a simple password checking function, however we quickly notice two things.
|
|
1. First we have a nice little buffer overflow on the input, we are able to input 0x80 chars (which is 128 in decimal) inside of a 60 bytes buffer. For a beginner oriented CTF this isn't surprising.
|
|
2. More surprising is the use of `signal` which I guessed allows to do something when receiving a syscall. After a quick look at the manual I was right. This allow us to map a signal to a function resulting in a call to the function being performed when the signal is received by the program (I don't think this is all and I am not sure that it is exactly what happens but it's more than enough to do the challenge). By the name of the function and after a quick look on the internet we can confirm that `0xb` (11 in decimal) is the syscall number for `SIGSEGV` better know as the segmentation fault (invalid memory reference, tried to dereference an invalid pointer).
|
|
|
|
So putting it all together we have a buffer overflow that allows us to trigger a segfault by overriding the return pointer and a function that executes when a segfault occurs. But what's that function ?
|
|
|
|
```C
|
|
void on_segfault(int sig_num)
|
|
{
|
|
int iVar1;
|
|
FILE *__stream;
|
|
char acStack_b0 [64];
|
|
code *pcStack_70;
|
|
int sig_num_local;
|
|
char data [64];
|
|
FILE *fd;
|
|
|
|
sig_num_local = sig_num;
|
|
__stream = fopen("./flag","r");
|
|
fgets(data,0x40,__stream);
|
|
printf("%s",data);
|
|
fclose(__stream);
|
|
FUN_00401140(1);
|
|
signal(0xb,on_segfault);
|
|
printf("What is the password?\n?: ");
|
|
fflush(stdout);
|
|
fgets(acStack_b0,0x80,stdin);
|
|
iVar1 = strcmp(acStack_b0,"password\n");
|
|
if (iVar1 != 0) {
|
|
puts("incorrect password");
|
|
fflush(stdout);
|
|
}
|
|
return;
|
|
}
|
|
```
|
|
|
|
I removed some bloat but what this function basically does is read the flag and print it.
|
|
So we know what to do, trigger a segfault and you're done. To do that send about 100 characters and you get the flag.
|