Before You Start

You should do Pwnexercise and Ropexercise first, so that you're somewhat familiar with pwntools and buffer overflow techniques. The instructions and hints will use pwntools and Python, though you may use any language you like to implement your solution.

• This note explains buffer overflows
• This note on Return Oriented Programming goes through step-by-step how to solve challenges like these.
• This note on Binary Stuff explains more about memory addresses and such.
• This small exercise on Object Files and Disassembly walks you through compilation, inspecting object files, disassembling code and how calls to dynamic libraries work. Examples from Linux, MacOS, x86-64, ARM, AVR and Java/JVM. (This is more details than you need to know.)

Note that the tasks have been designed so that the output from the server typically ends with a : or a ?. This makes it easier to use recvuntil() (or next_qa() from ctf-helper.py). Also, in the cases where you need to input the address of getFlag(), you may have to add 5 to it, for reasons explained elsewhere.

Learning Objectives

Afterwards, you should be able to explain…

• how a buffer overflow attack works,
• how the computer knows which code to run,
• how function calls work,
• roughly how code and data for a program is represented on disk and in memory

and you should be able to…

• identify data on a stack frame,
• find memory addresses of code / data (symbols)
• use pwntools (or similar) to connect to and communicate with a program, locally or over the network

Also, you should have a rough idea of how to mitigate / prevent buffer overflow attacks. Additionally, you might have so fun (or find the whole thing extremely frustrating).

Deadline, Deliverables and Grading

• The deadline is Friday, October 3rd 2025 at 23:59.
• This assignment counts towards your grade. Each task counts as 2% of your final grade, for a total of 10%. The next 20% will be the other assignments, and the final 70% the exam. All the assignments and the exam must be passed in order to pass the course.
• The assignment is individual and the results/report you submit must be your own.
• All you need to do is complete the tasks, so that the Current Status above shows Success. You don't have to deliver anything.
• To pass this assignment, all you need is an honest attempt at completing the assignment – there is no minimum score required. (If there's any doubt, we can tell from the logs whether you've made an honest attempt or not.)

Plagiarism / Cheating / Collaboration

• You may discuss / sit together with / try and figure things out together with other students, but your work must be your own.
• You can ask AI for assistance in explaining things, but not for generating a solution. Generally, it is better that you ask us or other students to explain stuff (no question is too stupid and no time (before the deadline) is too late to ask!).
• When/if helping each other, please try to not ask for / give solutions, but rather explanations of how things work, or other hint. Explaining how [you think] your [non-functioning] code works can be useful for both you and the your collaborator. Anya can provide you with your own personal rubber duck if you ask (Acme, Inc.'s rubber duck division seems to be struggling with deliveries nowadays, for some reason.)
• If possible, try to ask for help on a Discord channel rather than with private messages – there are probably others who wonder about the exact same thing, but are too shy to ask!
• But: don't post screenshots/listings with your (almost) complete solution, or showing the flag, etc. There are still lots of useful things to ask/answer regarding library function, how does return-oriented-programing work, etc.

Deadline extensions, etc

If you for some reason see that you can't deliver on time, you can get a deadline extension. You don't have to explain why – we trust that you have a sensible reason (and certainly understand if you don't!). It's better to spend a bit of extra time and get it right, than to take shortcuts and learn nothing.

• You can get an (up to) 4864 hour extension if you need it. However: for the next compulsory exercise, you will then have to deliver a draft of that exercise 4864 hours before that deadline, so we know you're on the right track next time!

• If you really need a longer extension, please include the code of whatever you have so far (even if it's nothing) and a brief plan for how you intend to complete the exercise in the remaining time. Unless we have arranged otherwise due to special circumstances, any work done more than 4864 hours after the deadline won't be counted.

• If you've solved the assignment and just think you could do a bit better with a bit more time – don't bother, you probably have more useful stuff to do, and small fixes won't make any practical difference. Perfection is overrated!

Python pwntools skeleton

You can use this – together with ctf_helper.py (below) – as a starting point for your solutions.

from ctf_helper import *

id_token = ""  # insert your token here

io : tube = start(7000)

read_welcome()

### REPLACE WITH YOUR CODE
io.sendline(b'something')

next_qa()

### May help you decode the final success/fail response
log_answer(read_answer())

CTF Helper

Implements a few functions for connecting and receiving data that may be useful.

You can also download the file here: ctf_helper.py.

from pwn import * # type: ignore
import sys

id_token = ""  # insert your token here

# Set to 'info' if you don't want a trace of data sent and received
context.log_level = "debug"

io : tube = None # type: ignore

def start(port: int):
    """
    Connect to INF226 server. Port number should be 7000-7004.

    With command line arguments (in sys.argv):
        - `FILE`              -- load ELF file (probably requires Posix system)
        - `--process FILE`    -- start local process instead (requires Linux)
        - `--gdb FILE CMDS`   -- start local debugger process instead (requires Linux)
        - `--remote`          -- connect to server (default)

    *(Call this first, then proceed with `read_welcome`)*
    """
    global io, _elf_file
    action = "--remote"
    file = None
    # very crude commandline option parser
    if len(sys.argv) < 2:
        pass
    elif sys.argv[1].startswith('--'):
        action = sys.argv[1]
        file = sys.argv[2] if len(sys.argv) > 2 else  None
    else:
        file = sys.argv[1]

    if file:
        try:
            _elf_file = ELF(file)
        except Exception as e:
            error("Failed to load ELF file %s", file)

        if action == "--gdb":
            gdb_script = ''.join([f'{a}\n' for a in sys.argv[3:]])
            io = gdb.debug(file, gdb_script or "break main\n")
        elif action == "--process":
            io = process(file)
    # By default, we connect to the official assignment servers
    if not io:
        io = remote("inf226.puffling.no", port)
    io.timeout = 2  # wait max 5 seconds when reading data
    return io

_elf_file = None
def elf_file():
    """Return the ELF executable for the current task, if available."""
    return _elf_file


question_delims = [b": ", b"? ", b":", b"?"]


def read_welcome(tok: str | None = None):
    """
    Send token and read the welcome/first question. Questions end with '?' or ':'.

    *(It's a good idea to call this first for all the tasks!)*
    """

    tok = tok or id_token
    question = io.recvuntil(question_delims, timeout=1024).decode()  # type: ignore # read welcome or token request

    if "Please enter your token:" in question:
        if not tok:
            io.warning_once("WARNING: No token specified!")
        io.sendline(b"" + tok.encode())  # send token
        question = io.recvuntil(question_delims).decode()  # read welcome

    return question


def next_qa() -> str:
    """
    Read a question/answer from the tube. (In practice, reads until the next `?` or `:`.

    *(Might be useful for any task)*
    """

    return io.recvuntil(question_delims).decode().strip()


def read_answer() -> tuple[str, str | None]:
    """
    Read and decode answer once you've completed the challenge.

    Call this after you've sent your exploit. Print the result with `log_answer`.

    *(Might be useful for any task)*
    """
    a = io.recvuntil(question_delims).decode()

    if "signed success token" in a:
        new_tok = io.recvline().decode()
        return a, new_tok
    else:
        rest = io.recvall().decode()
        return a + rest, None


def log_answer(answer_and_token: tuple[str, str | None]) -> None:
    """
    Combine with read_answer() to get pretty output.

    *(Might be useful for any task)*
    """
    answer, token = answer_and_token
    if token:
        info("Success!!")
        info("")
        info(
            "*** Please submit the new token to https://inf226.puffling.no/oblig1/ as proof you have completed the task:"
        )
        info("")
        info("        " + token)
        info("")
    else:
        for line in answer.splitlines():
            warning(line)


def chars(n: int):
    """
    Reinterpret a 64-bit integer as a string. Non-ASCII characters are displayed as `.`

    *(Might be useful for task-4)*
    """

    def convert_char(c):
        return chr(c) if 32 <= c < 127 else "."

    return "".join([convert_char(c) for c in unpack_many(p64(n), word_size=8)])


def print_mem_entry(addr: int | str, data: int | str | bytes):
    """
    Helper for printing a memory location.

    Arguments:
        addr (int): the memory address the word was found at
        word (int|str|bytes): contents of memory location, as an integer (possibly encoded as str or bytes)

    *(Useful for task-4)*
    """
    if addr == 0:
        info(f'        {"Address":12s}   {"Word":16s}  {"Chars":8s}  {"Original":24s}')
        info(f'        {"-" * 12}   {"-"*16}  {"-"*8}  {"-"*24}')
    else:
        if isinstance(data, bytes):
            text = repr(data)
            word = int(data, 10)
        if isinstance(data, str):
            text = repr(data)
            word = int(data, 10)
        elif isinstance(data, int):
            text = ""
            word = data
        if isinstance(addr, int):
            info(f"------  {addr:12x}:  {word:016x}  {chars(word):8s}  {text:24s}")
        else:
            info(f"{addr:20s}:  {word:016x}  {chars(word):8s}  {text:24s}")

Using gdb

If you're on Linux (or something close enough to be able to run Linux programs) and you have gdb and gdb-server installed, you can use the GDB debugger to see what's going on while the program is running.

For example, here is a small script of GDB commands that would help you debug task-0:

# put breakpoint at main+370, right after gets() – this will be breakpoint 1
break *main+370
# give list of commands to run when reaching breakpoint 1
commands 1
   # print stack pointer, address of buffer and contents of buffer, sound, animal
   print $rsp    
   print &buffer
   print buffer
   print sound
   print animal
end
# now, run until breakpoint
continue

You can type them in manually, or give them as the gdbscript argument to io.remote; or if you're using ctf_helper.py, you can save them to a file gdb_script and run with:

$ python my_solution.py --gdb ./task-0 "$(cat gdb_script)"

The ELF file includes debugging information (in the DWARF format (pun apparently intended)), so gdb knows where to find variables, how long the buffer array is, and so on.

Without pwntools you could also start gdb with:

$ gdb ./task-0 -x gdb_script

If so, you should replace continue with run in the script.

Other useful gdb commands include disas (print disassembled code) and help.

Hints

• If you get confused, it may be useful to draw a diagram of the memory, pointers and variables. (Or, if you're lazy, use Explore stack frame layout in the sidebar.)
• Kenneth's support material from 2020 may be useful, with hints for setting things up and using pwntools.
• ctf101.org has a useful intro to C and overview of binary exploitation, buffer overflows, return oriented programming, and bypassing stack canaries.
• If you try to run the code for task-4 yourself (on Linux or in a virtual machine), you'll need to turn off ASLR. You can do this with setarch -R task-4 (or setarch -R gdb task-4 for debugging with gdb), or for the whole system by doing echo 0 > /proc/sys/kernel/randomize_va_space (remember to turn it back on again afterwards with echo 2 > /proc/sys/kernel/randomize_va_space)

Connecting manually:

If you want to talk directly to the servers, you have (at least) a few options:

• pwntools has io.interactive() – though it seems be make trouble sometimes
• netcat (nc) is a popular tool for interacting with network sockets. For example:

$ nc inf226.puffling.no 7000
[uiianz] Please enter your token: 
[uiianz] Proceeding as unauthenticated user.
[uiianz] Welcome, 2a01:799:…! Best of luck with task-0!

Are you ready for a challenge (no/maybe/yes)? n
What does the rubber duck say? glurbledörk
Nope :(

• If your system doesn't have nc, you might have still have old-fashioned telnet installed. Although it's originally meant to connect to a Telnet server (which isn't used much anymore, now that we have SSH), you can also connect directly to a port, just like with nc. If the connection hangs, you can “escape” by pressing Ctrl-] (which is Ctrl-AltGr-9 on a Norwegian keyboard), and quit.

$ telnet inf226.puffling.no 7000
Trying 2001:700:2:8300::2264...
Connected to inf226.puffling.no.
Escape character is '^]'.
[uipmv9] Please enter your token: ^]
telnet> quit
Connection closed.

• Task-0 and Task-1 should be solvable this way.

Address space:

• These files are compiled without the position-independent executable (more info) option, so the code is always loaded at the same address (somewhere around 0x401000). Linux (or at least the our server) uses this memory layout:
• 0x7ffffffffff0 – top of memory, the stack typically starts ~-0x1000 from here (depends on environment variables – should be the same for each run). Each stack frame is aligned so that the address ends with a 0 – some system calls may crash with a SIGSEGV if this is not the case. (See ROP#Solving the system crash.)
• With a non-PIE executable, the addresses of code and data are hardcoded, so what you see in the ELF file (0x401xxx) will be the actual memory addresses when the program is running. objdump -t shows you all the symbol addresses.
• The main function gets called from one of the dynamic libraries (__libc_start_call_main in /lib/x86_64-linux-gnu/libc.so.6), so you'll see a return pointer to there on the stack.
• Dynamic libraries get put somewhere below the stack, addresses may start with 0x7f…. The output of running ldd on a file shows you the libraries. With ASLR, these addresses will be random:

$ ldd task-4
    linux-vdso.so.1 (0x00007c3f9e53c000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007c3f9e200000)
    /lib64/ld-linux-x86-64.so.2 (0x00007c3f9e53f000)
$ ldd task-4
    linux-vdso.so.1 (0x00007b61fa0bc000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007b61f9e00000)
    /lib64/ld-linux-x86-64.so.2 (0x00007b61fa0bf000)

• With ASLR turned off, the libraries will appear at the same location every time:

$ setarch -R ldd task-4
    linux-vdso.so.1 (0x00007ffff7fbe000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c00000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fc1000)
$ setarch -R ldd task-4
    linux-vdso.so.1 (0x00007ffff7fbe000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c00000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7fc1000)

Compiler command lines

• If you try to compile the C files yourself (on Linux), you may want to turn of PIE (position-independent executable mode). Use this command gcc -g -no-pie -fno-pie 00.c -o 00 (both -no-pie and -fno-pie are necessary; the first is an option to the linker and the latter to the compiler). If you compile with PIE, the code will be placed wherever Linux finds convenient. With ASLR turned off, this will be in the middle of memory, so main might be at 0x5555555551fc, for example.
• The C programs should work similarly on Mac and Windows – feel free to try! In particular, if you have an M1/M2 Mac, see what difference that makes to the disassembled code, and if the exploits still work.

The commands below are what was actually used to compile the task programs. The option -Wstringop-overflow=0 makes the compiler stop complaining about potential buffer overflows, -g enables debug info (needed to visualize the stack and to use variable names in gdb), and -o specifies the output file (the default is a.out, which is not very useful).

• Task-0 needs C99 (--std=c99) to use gets(). -fno-stack-protector -fno-pie -no-pie makes no difference in this task:

$ gcc -Wstringop-overflow=0 --std=c99 -g -fno-stack-protector -fno-pie -no-pie task-0.c -o task-0

• Task-1 is relocatable, and will have randomized addresses:

$ gcc -Wno-stringop-overflow -g task-1.c -o task-1

• Task-2 has stack canary disabled (-fno-stack-protector):

$ gcc -Wstringop-overflow=0 -g -fno-stack-protector -fno-pie -no-pie task-2.c -o task-2

• Task-3 has stack canary enabled:

$ gcc -Wstringop-overflow=0 -g -fno-pie -no-pie task-3.c -o task-3

• Task-4 needs C99 (--std=c99) to use gets(); must be run with setarch -R

$ gcc -Wstringop-overflow=0 --std=c99 -g -fno-pie -no-pie task-4.c -o task-4