Search code examples
csecuritybuffer-overflowshellcode

Exploit BufferOverFlow to read content of File with verification of input


I have a CTF challenge in which i've got a simple code vulnerable to buffer over flow (via strcpy) which looks like:

#include <stdio.h>
#include <string.h>
int display(char *text)
{
        char buffer[20];
        strcpy(buffer, texte);
        printf("%s\n",buffer);
}

int main(int argc, char ** argv)
{
        char forbidden[]={0x00, 0x80, 0x89, 0xe1, 0x89};
        int i,j;
        if (argc!=2)
        {
                printf("Usage: %s <text>\n", argv[0]);
                return 1;
        }
        for(i=0;argv[1][i];i++)
        {
                for(j=0;forbidden[j];j++)
                {
                        if(argv[1][i] == forbidden[j])
                        {
                                printf("Shellcode detected!\n");
                                return 1;
                        }
                }
        }
        display(argv[1]);
        return 0;
}

I managed to debug via GDB and see the addresses and instructions, I took full control of the memory, so I managed to corrupt the memory and inject my own shellcode, and change the return address to that block which runs my code.

But what bothers me, is the code check forbidden characters that I need to use to execute a \bin\cat, which really relies on 0x80 (OpCode of system call), i used shellcode generator such as masterccc.github. But it nevers provide me a shellcode without those forbidden characters, i tried as well an encoder (change shellcode instructions but have the same semantic) but no way.

I just want to know if i am in right path, and i have to execute shellcode and bypass this verification, or it's wrong path ? give me some Hint please.

I'm working on x86 32-bit.


Solution

  • There are other ways to get a shell ;) You should probably check what is a ROP chain

    If you still want to use a shellcode (and this is probably the easiest way), you could also inject it in an env variable instead of the argv[1] and use jmp ADDRESS_OF_THE_SHELLCODE_IN_ENV in argv[1]. It won't trigger the forbidden characters.

    Have fun with the CTF!