TAMUCTF 2018 - Pwning

Pwn1 Diberikan sebuah file binary dengan informasi sebagai berikut Percobaan debugging menggunakan gdb $ gdb -q pwn1 Reading symbols from pwn1…(no debugging symbols found)…done. gdb-peda $ pdisass main Berikut hasil disassable fungsi main 0x080485cf <+29>: call 0x8048410 <setvbuf@plt> 0x080485d4 <+34>: add esp,0x10 0x080485d7 <+37>: sub esp,0xc 0x080485da <+40>: push 0x8048700 0x080485df <+45>: call 0x80483f0 <puts@plt> 0x080485e4 <+50>: add esp,0x10 0x080485e7 <+53>: sub esp,0xc 0x080485ea <+56>: push 0x8048720 0x080485ef <+61>: call 0x80483f0 <puts@plt> 0x080485f4 <+66>: add esp,0x10 0x080485f7 <+69>: sub esp,0xc 0x080485fa <+72>: push 0x804875f 0x080485ff <+77>: call 0x80483f0 <puts@plt> 0x08048604 <+82>: add esp,0x10 0x08048607 <+85>: mov DWORD PTR [ebp-0xc],0x0 0x0804860e <+92>: sub esp,0xc 0x08048611 <+95>: lea eax,[ebp-0x23] 0x08048614 <+98>: push eax 0x08048615 <+99>: call 0x80483d0 <gets@plt> 0x0804861a <+104>: add esp,0x10 0x0804861d <+107>: cmp DWORD PTR [ebp-0xc],0xf007ba11 0x08048624 <+114>: jne 0x804862d <main+123> 0x08048626 <+116>: call 0x804854b <print_flag> 0x0804862b <+121>: jmp 0x804863d <main+139> 0x0804862d <+123>: sub esp,0xc 0x08048630 <+126>: push 0x8048772 0x08048635 <+131>: call 0x80483f0 <puts@plt> 0x0804863a <+136>: add esp,0x10 0x0804863d <+139>: mov eax,0x0 0x08048642 <+144>: mov ecx,DWORD PTR [ebp-0x4] 0x08048645 <+147>: leave 0x08048646 <+148>: lea esp,[ecx-0x4] 0x08048649 <+151>: ret Terlihat terdapat penggunaan fungsi gets() yang vulnerable buffer overflow.