Simple Buffer Overflow

Explanation

The form below calls a C program with a simple buffer overflow vulnerability. The "name" variable can overflow into the "cmd" variable.

Here's the source code:

Vulnerable Form

Try putting in a short name, and then make the name longer until you get unexpected results.

For a good time, try this string:

0123456789012345678901234567890123456789ls
Your name:    

Challenge 1: Long List

Execute the "ls -l" command by entering a crafted name, so it shows file details, as shown below.

Hint

If spaces are annoying you, try this.

Challenge 2: Add Your Name to the Hall of Fame

Put your name in this file:

/tmp/bufo/winners
After one minute, your name will appear on the WINNERS page here:

http://attack3214.samsclass.info/root/bufo-winners.html

Hint

Your injected code runs in a dash shell.

To write to a file named foo, execute:

echo "HELLO" > foo

Source code and explanation

Sources

I based this on the "pwn1" and "pwn2" challenges in the 2015 SCTF competition.


Posted 4-3-16 by Sam Bowne
Last modified 5-9-17