InCTF Jr 2023
October - December, 2023


Medium Pwn

Author : aDHIxx

Initial Analysis

The challenges has three questions that needs to be answered. The initial questions are integer overflow and the third question is integer overflow that triggers a buffer overflow vulnerability .

  • Initial steps to analyize the binary

Conclusions from initial check::

  1. 32 - bit binary
  2. Not stripped
  3. All migitations are disabled
  4. The presence of win function that can get us a shell.
  • Source code

Integer overflow

When the result of an integer operation does not fit inside the allotted memory space, it is referred to as an integer overflow. Rather than a small error in program, it should be considered as a bug that can be exploited to alter the course of normal exceution of program.


On analysing the source code, one would understand that we have to somehow find a number that when added to 4294967295 would give us 0. The basic common sense would be to give -4294967295 as input. But doing it would result in error.

This is because in C language the range that is reserved for storing the int [data type] is -2147483648 to 2147483647. So, giving -4294967295, won't work.

So moving onto our question,this question has the most classic example of integer overflow.

The range of values that can be stored for an unsigned integer in 4 bytes is 0 to 4294967295[0xfffffff].

Data typebyterange
unsigned int40 - 4294967295

So if u add 1 to it, it wouldn't become 4294967296, instead would result in an overflow ::1 + 0xfffffff = 0x100000000. But the additional bit is disregarded, thus resulting in 0.


On analysing the code one would understand that we have to find a number that when multiplied with 16 would give me 0 but shouldn't be 0 itself. As said before the range of signed integer is from -2147483648 to 2147483647, so we can give 268435456 .


From main()

On analysing the code,one can see that the length of the input is being checked. Only if it is equal to 6, one can reach the buffer overflow vulnerability that is present in strcpy. On overflowing,we get code execution so we can do a ret2win and that would give us a shell.

But if we were to give an input with length 6, we wouldn't be able to overflow since the array is of size 23.

Now we need to find the vulnerability in any functions in quiz3 using which we can somehow overcome the length barrier. The bug is that the result of strlen(input) is converted to a byte. So here if we were to give 0x106, then strlen will return 0x06, thus passing the length constraint.

Now we can give an input of length 0x106 and in that input we could overflow the variable inp_buff[23] and ret2win.

Now we need to get the buffer value and address of win function.

Now putting all of this together, we get the exploit as::