Created: 2014-11-10 23:12:49
Last modified: 2014-11-17 20:58:07
This problem has a buffer overflow vulnerability! Can you get a shell, then use that shell to read flag.txt? You can solve this problem interactively here, and the source can be found here.
Can you overflow into the 'secret' variable?
Exploit a simple buffer overflow.
A buffer overflow is a simple but dangerous exploit of a program. For the purpose of discussion, let us take the following piece of code:
char buf[16];
strcpy(buf, input);
Seems simple right? The code simply takes our input, splits it into characters, and stores each character in an index of buff. But what happens if we input more than 16 characters? In C, the program will start writing your input to memory beyond the bounds
of the array. We can use this to write to variables and in future problems, even change the flow of the program.
Let's get started! If you open the interactive problem solver, you should see a window to the bottom of the page that displays the layout of memory for the program. This is called the stack
. If you look carefully, you will see that the memory address for secret is right above the buffer on the stack. This means, using the concept that we talked about earlier, we can simply write A 16 times so that the program starts writing to memory beyond the bounds
of the buffer and then 4 more characters to change the value of secret
.
As you enter the As, notice that the buffer fills from right to left. Once you have filled the buffer with (16) As, it is time to modify the value of secret.Now we face a problem: secret is an eight digit hex number while it only takes up for slots in the program's memory. Notice how our buffer is filled with 16 values that each are 41
. This is because this program's memory is stored using hexadecimal (abbreviated hex) character values. To find the correct characters we can use \x followed by the two digit hex value of the number. Lets try using this to change the value of secret to 0xc0deface, giving us
AAAAAAAAAAAAAAAA\xc0\xde\xfa\xce.
When we run this, the program returns The secret is cefadec0
which is backwards. This is because our input is in Big Edian
, not Little Edian
which is what the shell server uses. See the problem This is the Endian
for more detail.
Let's convert this number to Little Edian
(by reversing the order of the hex values) and try again. This is our new exploit:
AAAAAAAAAAAAAAAA\xce\xfa\xde\xc0
Which gives us the shell! Now that we have the shell, all we need to do is run
cat flag.txt
and we get our flag!
ooh_so_critical