Tuesday, March 27, 2018

Binary Exploitation Basics - Int Limits & Buffer Overflow

It's been a while. I've been practicing and delving more into the CTF world. Hacking capture the flag events help you not only to understand different areas in cyber security but also to think outside of the box. Lately, I've been blessed to find some easy CTFs to understand basics of binary exploitation; a subject that can be cumbersome for many, including myself.  I hope that, with this video Blog, you can understand the very basics of C integer limits and buffer overflow residing in the gets function of a C program.

Let's start.

Binary 1: C Integer Range Limitations

In the first program, accumulator.c, we are looking at an int variable ('n') being assigned to user's input, but it only allows us to have access to the (secret) flag if the variable is negative.  The problem is that it doesn't let us enter negative values.  If we enter a "too high" value, it also fails to give us the flag.

The secret I found here was to understand the limits of signed integers in a C program. As you can see in the table below, the maximum range in which an signed integer can go is 2147483647. If we enter that value, and then add one to it, the variable will go out of range causing the program to give us the minimum value of int, which is –2147483647 –1 and that will be placed into the variable giving us the flag.

Binary 2: Buffer Overflow in 'gets()' function

In this challenge we have to use a disassembler (such as gdb or objdump) to see which functions are used in the program to give/retrieve data. After a little time examining the main() function, we can see that the C program is retrieving data using the gets() function instead of fgets(). By doing a little Google search, it appears to be a common issue which leads to a buffer overflow.

By running a one liner in python we are overflowing the buffer with 500 A's, causing a segmentation fault; and because gets() does not check for bounds in the buffer, it simply gives us all the data available in the array, including the flag.

There is a simple fix for this. By using fgets() to read data, instead of gets().

I hope you enjoyed this video and learned a few things just like I did. Cheers!

No comments:

Post a Comment

Your thoughts are a goldmine which flourishes within our ever-changing society. Please, post your ideas, constructive feedbacks and clarifications here: