Simple Buffer Overflow - 0x00

Posted on | Post modified | In |

Simple Buffer Overflow - 0x00

tags: CTF PWN

Original Code

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
    char buf[0x10];
    read(0, buf, 0x30); // It'll read the value that you input and store in buf with length=0x30
    system("pause");
    return 0;
}
  • Note that you can check this page to know more about read function

Dynamic Analysis - x32dbg

  • This is the original entry point of this program.

  • 0x00404185 is the read function that will catch the input string we entered. So, we step into this function and continued executing until 0x7655BFE5.

  • The most important part

    In order to trigger buffer overflow, we must enter the string that size is over 16 to overlap ebp and eip register.

  • If we enter a normal length string such as aaaaaaaaaaaaaaaa, the eip register will store 0x0040148A and finish the program normally.

  • How about we enter 32 a characters? The ebp and eip register will be overlapped by 0x61616161(aaaaaaaaa) so that we can control the program flow by overlapping a specific address.

Reference

PWN basic