[pwn] You know 0xDiablos

I could use a nudge. I can get “Hurry up and try…” but when i try on the instance i get nothing. I see the parameters required. I tried putting them in right behind my address… lets say param1 = A, param2 = B

JUNK+A+B+ADDRESS
JUNK+B+A+ADDRESS

neither worked. i also tried the values of A and B forward/backwards. Can anyone help with passing the parameters? Thanks

Type your comment> @pythonK said:

I feel I’m on the right track, but I just can’t get the payload right. I’m pretty sure I’ve gotten the correct buffer size (I’ve verified using a debugger), and I know the address of what I want to call with params.
When I enter my payload and run it through a debugger, the address is wrong in the debugger, even though it’s correct in the input. Instead of ‘e2’ it’s showing as ‘c2’.
I’d appreciate anything you could throw my way to help get me going.

I figured out my problem. It’s the way python3 was sending the info was wrong. But python2 sends it correctly. Still haven’t solved it yet, but I’m closer.

just started this and i feel like i’m in the right direction.
i’m sending my payload with all parameters but still don’t manage to get the fl…t.t file
although i’ve created it locally.

Could use a nudge (:
thanks

got it! nice one!

I got the flag… but it only works some of the time? I thankfully ran my code a few times after double checking things, and poof, flag showed up when it didn’t on the first couple runs.

Running it again, it doesn’t show up. Is this intentional, or is there something funny going on?

got it! thanks @BLAMO last piece i wasn’t getting. It makes sense now. anyone need a hand hit me up.

The tips here were definitely useful. If you haven’t done a BOF before (which I have seen mentioned here a few times, so I’m assuming it’s not a spoiler) you should definitely look up a tutorial and understand that before trying this. A few things that were time wasters for me :

1: If you are going to use Python to automate your exploit for the love of god use python2. I ran into some weird issues trying to get my payload to function properly which I am assuming is because Python3 changed how they handle strings.

2: There may be extra bytes in places you don’t expect : c - Why is ebx saved in the stack frame of a simple function, calling gets? - Stack Overflow

Got the flag :). Could anyone get this exploit to work in Python 3? I managed to do it with Python 2 in the end, but would’ve liked to do it in Python 3…

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Type your comment> @Oscuridad said:

I’ve never done a BUF before and im trying to read through assembly docuementiation but I think I have the right idea, ive made a payload to send and have the address I need, but I still get a fault error when sending it.

If someone could pm me a hint or something that would be great. I also dont know where to put variables

Send me the exploit on discord “Alex Zander#0764”

I’m confused, I’m testing a BOF, and successfully overwriting EIP in a VM, but doing the same on a physical box doesn’t work?

ASLR is off on both…

Same length payload of 'A’s, then 4* ‘B’, and 4* 'C’s.

On the VM : EIP gets ‘BBBB’, with ESP at ‘CCCC’.
On the physical box : EIP gets ‘AAAA’, with ESP at ‘BBBBCCCC’ ?

Environments were NOT the same! Lesson learned. Problem solved.

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Type your comment> @Baseizo7 said:

I am really confused. In Kali VM, using gdb/gef/pwntools after many hours finally got a successful exploit.py (from gef skel) working. But only locally. Remotely I get the 'A’s string echoed back. Playing with the length of those ‘A’ I will get same thing back, or nothing, or connection refused for several minutes.

I do not understand why it would work in VM but not remotely. I cannot imagine that remotely it is not running in a VM or Docker container…

Never mind! Figured it out. h4x0r error. Apparently I have trouble noticing glaring numerical typos right in front of me for hours.

Hi,
can anybody give me any help, please ?
I have a payload without bad characters and go through gdb+peda but can’t make it work even locally.
Redirect EIP to method with both parameters but still no success.
Thanks.

That was my first buffer overflow and while it may be simple in the realms of BOF, I found that very difficult. Great challenge though and I’ve learned a lot. For other noobs, Ippsec’s Safe video is good place to get a feel for Buffer Overflows as he explains the tools you can use, however the BOF in that video is much more complex than this. LiveOverflow has a Binary Exploitation playlist on YouTube which is where I gained most of my knowledge for reading Assembly and making sense of the outputs I was seeing in Ghidra. He also uses GDB which is a fantastic tool for exploring what’s going on in the binary when it’s running.

My advice for anyone struggling in this challenge or new to BOF is to

  1. Find what you’re looking for in Ghidra
  2. Learn to use GDB
  3. Set some breakpoints in the code
  4. Learn how to read from the memory locations and step through piece by piece.

Not only can it show you what the binary is doing - it shows you what your exploit is doing. In some cases your exploit could just be a few addresses away from working, that’s what happened to me anyway.

I haven’t seen many people plug YT content before, so apologies if this is a spoiler or against the rules.

Just solved it, my first bof without any walkthrough! :smiley:
As mentioned earlier in the thread: use python2!
I had the correct payload at one point but it didn’t work with python3 so i wasted a few hours trying other stuff.
Happy to help if anyone needs a nudge.

I just solved this. I saw a mention to use Python 2 vs. Python 3, but I got my exploit to work in Python3. I only had one line I had to change to make it successfully run in Python 3.

When I try to overwrite eip its substituting the address I want to point to with other random cr*p

I’ve just finished the BOF module on HTB academy but what i’ve learned there doesn’t seem to apply or i’m doing something horribly wrong,

Hi, I’m super new here… I’ve tried this challenge, I can BOF the 1st function… I saw I need to add params for 2nd one… I think I sent them (as I can see their values on registries) but I can’t make it print the answer. I don’t have other ideas, maybe I’m missing something… Could anybody give me an hint?