Created: 2014-11-10 23:12:49
Last modified: 2014-11-17 20:58:07
Can you overflow into the 'secret' variable?
Exploit a simple buffer overflow.
A buffer overflow is a simple but dangerous exploit of a program. For the purpose of discussion, let us take the following piece of code:
char buf; strcpy(buf, input);
Seems simple right? The code simply takes our input, splits it into characters, and stores each character in an index of buff. But what happens if we input more than 16 characters? In C, the program will start writing your input to memory
beyond the bounds of the array. We can use this to write to variables and in future problems, even change the flow of the program.
Let's get started! If you open the interactive problem solver, you should see a window to the bottom of the page that displays the layout of memory for the program. This is called the
stack. If you look carefully, you will see that the memory address for secret is right above the buffer on the stack. This means, using the concept that we talked about earlier, we can simply write A 16 times so that the program starts writing to memory
beyond the bounds of the buffer and then 4 more characters to change the value of
As you enter the As, notice that the buffer fills from right to left. Once you have filled the buffer with (16) As, it is time to modify the value of secret.Now we face a problem: secret is an eight digit hex number while it only takes up for slots in the program's memory. Notice how our buffer is filled with 16 values that each are
41. This is because this program's memory is stored using hexadecimal (abbreviated hex) character values. To find the correct characters we can use \x followed by the two digit hex value of the number. Lets try using this to change the value of secret to 0xc0deface, giving us
When we run this, the program returns
The secret is cefadec0 which is backwards. This is because our input is in
Big Edian, not
Little Edian which is what the shell server uses. See the problem
This is the Endian for more detail.
Let's convert this number to
Little Edian (by reversing the order of the hex values) and try again. This is our new exploit:
Which gives us the shell! Now that we have the shell, all we need to do is run
and we get our flag!