Smash the stack Let's start off simple, can you overflow the correct buffer?
Then, the binary, link and the source code provided respectively. The code is provided below:
All the task says us that we are dealing with the Buffer overflow vulnerability.
There is a Segfault listener that will print the flag in case we will cause it:
void sigsegv_handler(int sig) {
printf("%s\\n", flag);
fflush(stdout);
exit(1);
}
Also, the code contains ubsecure functions such as gets and strcpy. Both of them are exploitable to buffer overflow, but in this case we will focus on strcpy as it copies the buffer of size 100 to buffer of size 16:
char buf2[16];
strcpy(buf2, input);
So, to cause segmentation fault we can overflow the buffer that will override the return address on the stack of this function. The values on the stack are placed with the step of 4 bytes, Thus, let's try to overflow it with a string of 20 chars.
So, this is the actual exploit:
AAAAAAAAAAAAAAAAAAAA
The result is shown in Figure 1:
Figure 1: Retrieving the flag
In this case, the return address of the function was changed to zero-byte (the ending of the input string) which caused segmentation fault and printed out the flag. Here is the flag: