0

I need help running a program in an executable using GDB.

I have an executable file name vuln. I do not know the source code as I am doing a CTF. When I analyzed the executable, I found three exciting functions: main, vuln, and flag. Vuln func is vulnerable to BOF attack, but I do not want to go that way. What I am trying to do is run the executable in gdb, and I used print (void) flag(param1, param2) command to directly run flag func as this is supposed to give me a flag; however, it does not work as it says my parameters are incorrect which I am sure are not. I have also found out about the jump function, but I cannot pass any parameters.

So is there any way to run a function from executable with parameters properly or I would have to go through the pain of BOF.

GHIDRA disassembled code of FLAG and VULN Func are below.

void flag(int param_1, int param_2){
    char local_50 [64];
    FILE *local_10;

    local_10 = fopen("flag.txt", "r");
    if(local_10 != (FILE *)0x0){
        fgets(local_50, 0x40, local_10);
        if ((param_1 == -0x21524111) && (param_2 == -0x3f212ff3)){
            printf(local_50);
        }
        return;
    }
    puts("Hurry up and try in on server side.");
    exit(0);
}

void vuln(void)
{
    char local_bc [180];
    gets(local_bc);
    puts(local_bc);
    return;
}
Employed Russian
  • 199,314
  • 34
  • 295
  • 362
Jenny Patel
  • 39
  • 1
  • 6
  • What's the exact error message of gdb when you try to call the function? – ssbssa May 10 '21 at 10:33
  • Actually no error message. Since my variables does not match only "puts("Hurry up and try in on server side.");" line runs and if statement never executed. – Jenny Patel May 11 '21 at 00:12
  • I guess, you can change the `rip` to point to flag `flag()`, prepare memory or modify flags for the comparisons to steer the execution, but, the goal is to read `flag.txt` from remote computer and not yours, so you won't get the real flag if you do that. – Paweł Łukasik May 11 '21 at 02:11

1 Answers1

0

print (void) flag(param1, param2)

Not sure what your values of param1 and param2 are, but this seems to work just fine for me:

echo "hello" > flag.txt
gdb -q ./a.out

(gdb) start
Temporary breakpoint 4 at 0x555555555307
Starting program: /tmp/a.out

Thread 1 "a.out" hit Temporary breakpoint 4, 0x0000555555555307 in main ()
(gdb) p (void)flag(-0x21524111,  -0x3f212ff3)
hello
$2 = void
(gdb)
Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • Param1 and param2 are variables passed to flag function. I know this question does not have enough information because this is a CTF challenge. I provided all the information I was able and also provided information I reverse engineered using Ghidra. – Jenny Patel Jul 11 '21 at 04:25