🐈00-intro_setup_basics

https://github.com/Crypto-Cat/CTF/tree/main/pwn/binary_exploitation_101

You can obviously find thousands of definitions about what is a buffer overflow on internet but, here is my definition and how i understand it:

A data buffer is a region of the memory who stores data temporarily. There is a size allocated to a buffer's memory and buffer overflow or buffer overrun is when you write past that allocated memory and overwrite other zones in the memory you were not supposed to overwite. The goal is to write into areas known to hold executable code and replace it with malicious code, or to selectively overwrite data pertaining to the program's state, therefore causing behavior that was not intended by the original programmer.

I hope that's not too far from the overall definition.

Now we will see the tools that we will need to persue all those exercises, first we'll need:

Here are some useful ressources:

Here is a python script that will be make it possible to create a ghidra project very quickly:

Let's get on the practical side of things ->

this is our vulnerable code

#include <stdio.h>
#include <string.h>

int main(void)
{
    char buffer[16];

    printf("Give me data plz: \n");
    gets(buffer);
    
    return 0;
}

Ok so let's start by getting some infos about the file ->

let's remember we have 2 files: vuln & vuln.c

file vuln

Let's explain:

  • ELF: This stands for Executable and Linkable Format, which is a common file format for executables, object code, shared libraries, and core dumps in Unix-like systems.

  • 32-bit: Indicates that this executable is compiled for a 32-bit architecture, meaning it can access 2^32 memory addresses.

  • LSB: Stands for Least Significant Byte. This indicates that the file uses little-endian byte order, where the least significant byte is stored at the smallest address.

  • dynamically linked: This means that the executable is linked to shared libraries at runtime, rather than having all code statically included in the executable.

  • not stripped: This means that the executable still contains its symbol table and debugging information. Stripped executables have this information removed to reduce file size.

Here it is already compiled but here is the command if we would want to do it:

gcc vuln.c -o vuln -fstack-protector-all

And we get a warning:

this gives us a hint on what to do next

Let's try to do our buffer overflow ->

The trick here if i understand it well is that there is a buffer size of 16 allocated to the buffer and gets is very unsecure unlike fgets because it does not look at the size inputed so if we enter an input greater than 16 it will crash

Now if we try to open the file with gdb ->

gdb vuln

We can get some infos about the file and what it's doing:

What is interesting is obviously the main function so let's disassemble it:

disassemble main

We could jump to different functions inside the debugger or set up a breakpoint

Let's set up a breakpoint at main:

break main
run

If we want an info about the stack:

info stack

now let's just type c (continue), this will technically run the program and we will me able to see how it reacts ->

don't forget to do a little delete breakpoints si it does not hit many times on it

Ghidra methodology

First create a new project and import the file you want:

click on yes to analyze and then you're in:

We can start by looking at the main function and quickly see in the decompiler that this looks a lot like vuln.c program we had earlier:

if we select a function name and type L, we can globally modify it's value:

PreviousCryptoCat TutorialsNext01-overwriting_stack_variables_part1

Last updated