El Clasico

By Uday Shankar

This is a simple buffer overflow problem. There is a blatant vulnerability in the program, where it uses the gets() function to read the input. This function keeps on reading and writing to the given buffer until it encounters a newline. You can write far past the end of the buffer as long as you do not enter a newline. The buffer is located on the stack, a memory region that also contains sensitive information, such as return addresses. By overwriting the return address of the isCool function, we can jump to any point in the code. Notably, we can skip the code corresponding to the if statement and go straight to the code that spawns a shell. We generate the input required to exploit the overflow by loading the binary in gdb and locating the distance between the return address and the start of the buffer on the stack. Although the absolute locations (addresses) of the items on the stack varies from run to run, the distance between two items is constant. From here, we need to pad the buffer with some useless data, followed by the desired return address. When gets reads the input, it will write the useless data, and write the desired return address over the old return address. Once the function returns, it will go straight to the part of the code that spawns the shell, and from there, it is easy to get the flag by using the linux command cat.

Flag: one_of_these_pops_up_everytiem