Challenge example
Source code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "serve.h"
int fd_f;
int authentification(void) {
char buf[20];
char passwd[16] = ""; // array to store the secret pass
FILE *fp = fopen(".passwd", "r");
fread(passwd, 1, 15, fp);
fclose(fp);
passwd[15] = '\0';
write(fd_f, "Password :\n",11);
read(fd_f, buf, 1024);
if (!strcmp(buf, passwd)) {
return 1;
} else {
return 0;
}
}
void admin(void){
write(fd_f, "Congratulation\n", 15);
}
void serve(int fd_) {
int auth;
fd_f = fd_;
write(fd_f, "Welcome, please login in order to use the app.\n",47);
auth = authentification();
if (auth) {
write(fd_f, "Welcome User\n",13);
} else {
write(fd_f, "Bad password\n",13);
}
return;
}
int main() {
Serve socket = Serve_Create();
if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
perror("Binding socket error :");
exit(1);
} else if (socket.Listen(&socket, serve, 5) < 0){
perror("Listen error :");
exit(1);
}
return 0;
}
The serve.c code will not be explain here.
It will just serve the binary over a socket and make a fork of it to handle multiple connection at a time.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "serve.h"
int fd_f;
int authentification(void) {
char buf[20];
char passwd[16] = ""; // array to store the secret pass
FILE *fp = fopen(".passwd", "r");
fread(passwd, 1, 15, fp);
fclose(fp);
passwd[15] = '\0';
write(fd_f, "Password :\n",11);
read(fd_f, buf, 19);
if (!strcmp(buf, passwd)) {
return 1;
} else {
return 0;
}
}
void admin(void){
write(fd_f, "Congratulation\n", 15);
}
void serve(int fd_) {
int auth;
fd_f = fd_;
write(fd_f, "Welcome, please login in order to use the app.\n",47);
auth = authentification();
if (auth) {
write(fd_f, "Welcome User\n",13);
} else {
write(fd_f, "Bad password\n",13);
}
return;
}
int main() {
Serve socket = Serve_Create();
if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
perror("Binding socket error :");
exit(1);
} else if (socket.Listen(&socket, serve, 5) < 0){
perror("Listen error :");
exit(1);
}
return 0;
}
The buffer overflow occur during the authentication
function at line 19 :
read(fd_f, buf, 1024);
Exploitation
$ python3 bropper.py -t 127.0.0.1 -p 1337 --wait "Password :" --expected Bad --expected-stop Welcome -o dump
Exercice
docker pull thectfrecipes/pwn:brop
Deploy the image using the followed command :
docker run --name buffer_overflow_brop -it --rm -d -p 3000:3000 thectfrecipes/pwn:brop
Access to the web shell with your browser at the address : http://localhost:3000/
login: challenge
password: password
Last updated