Author : aDHIxx
Initial Analysis
The challenges has three questions that needs to be answered. The initial questions are integer overflow and the third question is integer overflow that triggers a buffer overflow vulnerability .
- Initial steps to analyize the binary
Conclusions from initial check::
- 32 - bit binary
- Not stripped
- All migitations are disabled
- The presence of
winfunction that can get us a shell.
- Source code
Integer overflow
When the result of an integer operation does not fit inside the allotted memory space, it is referred to as an integer overflow. Rather than a small error in program, it should be considered as a bug that can be exploited to alter the course of normal exceution of program.
quiz1
On analysing the source code, one would understand that we have to somehow find a number that when added to 4294967295 would give us 0.
The basic common sense would be to give -4294967295 as input. But doing it would result in error.
This is because in C language the range that is reserved for storing the int [data type] is -2147483648 to 2147483647. So, giving -4294967295, won't work.
So moving onto our question,this question has the most classic example of integer overflow.
The range of values that can be stored for an unsigned integer in 4 bytes is 0 to 4294967295[0xfffffff].
| Data type | byte | range |
|---|---|---|
| unsigned int | 4 | 0 - 4294967295 |
So if u add 1 to it, it wouldn't become 4294967296, instead would result in an overflow ::1 + 0xfffffff = 0x100000000. But the additional bit is disregarded, thus resulting in 0.
quiz2
On analysing the code one would understand that we have to find a number that when multiplied with 16 would give me 0 but shouldn't be 0 itself.
As said before the range of signed integer is from -2147483648 to 2147483647, so we can give 268435456 .
quiz3
From main()
On analysing the code,one can see that the length of the input is being checked. Only if it is equal to 6, one can reach the buffer overflow vulnerability that is present in strcpy. On overflowing,we get code execution so we can do a ret2win and that would give us a shell.
But if we were to give an input with length 6, we wouldn't be able to overflow since the array is of size 23.
Now we need to find the vulnerability in any functions in quiz3 using which we can somehow overcome the length barrier. The bug is that the result of strlen(input) is converted to a byte. So here if we were to give 0x106, then strlen will return 0x06, thus passing the length constraint.
Now we can give an input of length 0x106 and in that input we could overflow the variable inp_buff[23] and ret2win.
Now we need to get the buffer value and address of win function.
Now putting all of this together, we get the exploit as::
