Backdoor CTF 2015 echo: “chmod +x” will change function’s offset
I participated the Backdoor CTF 2015 and found something very weird: “chmod +x” will change function’s offset. I will figure this out later.
This program contains a stack buffer overflow vulnerability, If the input is longer than 62bytes, the return address will be overwritten and enable us to control the EIP.
This challenge is fairly simple. After several minutes reversing of the program. I found a function called sample() which will open and print the content of file “flag.txt”. We have to do is to overwrite test()’s return address with the start address of function sample().
The following code will get us the flag:
from pwn import *
context(arch='i386', os='linux', endian='little', word_size=32)
sample = 0x0804857d