picoctf_2018_buffer overflow 0
step
- Routine inspection, 32-bit program, nx protection is turned on
- Prompt for ssh link
- After ssh was connected, I tried a little bit, it seems that the program vuln can read the flag
- 32 is ida loading test file.
Baidu clicked on signal and found that 11 is (SIGSEGV), a signal for invalid access to storage.
Line 15 means that a function sigsegv_handler is set to handle invalid access to storage when the program generates.
That is to say, when the program causes invalid memory access, it will output flag.
Looking down on the vuln function,
copy src to dest, which can cause overflow.
There are two solutions:
1. Overwrite ret to put, and then output the value of the flag address,
payload='a'*(0x18+4 )+p32(puts)+p32(0)+p32(flag_addr)
./vuln aaaaaaaaaaaaaaaaaaaaaaaa\xc0\x84\x04\x08\x00\x00\x00\x00\x80\xa0\x04\x08
2. The above analysis also outputs flag when the memory access error is caused. Due to the overflow of vlun, we can easily cause illegal memory access