overflows
osusec
monday, 10/14
Capture The Flag League
Buffer Overflows
- pizza
- streaming
- unmuted
- talked about SPECIAL EXCITING EVENT
- cd’d into the right directory
deadface ctf is this weekend
Primer - C
as quickly as possible
Made of:
- Variables
- Functions
What’s a variable
- It’s a name we give to a spot on the computer
- Now I can go back to my little spot
- and it will have the value 65 in it
The many faces of my little spot
- 65 means a lot of things
- It can be a number
- Or a character
- Or the exact GPS coordinates of my little spot
Quick example
That was fun, what about bigger numbers
- Just use multiple bytes
- ints have 4 bytes
- [0, 4294967295] [0x0, 0xffffffff]
- [-2147483648, 2147483647]
Interlude: Hexadecimal
- Hackers call it hex
- Nerds call it base 16
- 0123456789abcdef = 16 digits instead of 10
- Prefix with 0x
- Two hex digits = byte
- 0xa = 10
- 0xc = 12
- 0xff = 255
Put this all together
pwndbg> x &a
0x7fffffffdd8c: 0x3e4dfa72Looks good.
(because the value at the address of a is the value of a)
“because the value at the address of a is the value of a”
pwndbg> x/b &a
0x7fffffffdd8c: 0x72What?
Little-endian
- Numbers stored in reverse order
- First byte = least significant byte
- 0x11223344 looks like 0x44 0x33 0x22 0x11
pwndbg> x/4xb &a
0x7fffffffdd8c: 0x72 0xfa 0x4d 0x3ereal quick, what are all these &s
demo 2
Holding more than one thing in one variable
struct MyStruct {
int a;
char b;
int c;
char d;
};
int main() {
struct MyStruct my_struct;
my_struct.a = 1;
my_struct.b = 2;
my_struct.c = 3;
my_struct.d = 4;
}Here, sizeof MyStruct is 16
Arrays
What’s an array
- A list of values
- All next to one another
- All of the same type
Wait, is that too big of an index?
example 3
We just overflowed
Whatever comes after myArray now?
What else can flow?
0
1
2
...
126
127
-128
-127
...
-2
-1
0
1
2Notes for tonight
GDB
set follow-fork-mode parent- Compile + run locally until solved
- Be creative!