Author : aDHIxx
The challenges has three questions that needs to be answered. The initial questions are integer overflow and the third question is integer overflow that triggers a buffer overflow vulnerability .
- Initial steps to analyize the binary
Conclusions from initial check::
- 32 - bit binary
- Not stripped
- All migitations are disabled
- The presence of
winfunction that can get us a shell.
- Source code
When the result of an integer operation does not fit inside the allotted memory space, it is referred to as an integer overflow. Rather than a small error in program, it should be considered as a bug that can be exploited to alter the course of normal exceution of program.
On analysing the source code, one would understand that we have to somehow find a number that when added to
4294967295 would give us
The basic common sense would be to give
-4294967295 as input. But doing it would result in error.
This is because in C language the range that is reserved for storing the int [data type] is
2147483647. So, giving
-4294967295, won't work.
So moving onto our question,this question has the most classic example of integer overflow.
The range of values that can be stored for an unsigned integer in 4 bytes is
|unsigned int||4||0 - 4294967295|
So if u add
1 to it, it wouldn't become
4294967296, instead would result in an overflow ::
1 + 0xfffffff = 0x100000000. But the additional bit is disregarded, thus resulting in 0.
On analysing the code one would understand that we have to find a number that when multiplied with 16 would give me
0 but shouldn't be
As said before the range of signed integer is from
2147483647, so we can give
On analysing the code,one can see that the length of the input is being checked. Only if it is equal to
6, one can reach the buffer overflow vulnerability that is present in
strcpy. On overflowing,we get code execution so we can do a ret2win and that would give us a shell.
But if we were to give an input with length
6, we wouldn't be able to overflow since the array is of size 23.
Now we need to find the vulnerability in any functions in quiz3 using which we can somehow overcome the length barrier. The bug is that the result of
strlen(input) is converted to a byte. So here if we were to give
strlen will return
0x06, thus passing the length constraint.
Now we can give an input of length
0x106 and in that input we could overflow the variable
inp_buff and ret2win.
Now we need to get the buffer value and address of
Now putting all of this together, we get the exploit as::