CODEWITHSUNDEEP
cbufferexploit
Jack Harris
Jack Harris

Reputation: 17

I have a buffer overflow assignment like this, I set the correct varaible to the HEX value of 1 (31) and still nothing, how do I solve this

How do I set the value of correct to 1 with an buffer overflow exploit? When I pass nothing to this the value of temper is 4D2 which is hex for 1234, but when I overflow the buffer with lets say 10 A's followed by 1234 -> AAAAAAAAAA1234 temper gets changed to 0x34333231, I don't understand this, can somebody help?

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>


int main(int argc, char **argv)
{
 volatile int correct = 0;
 volatile int tamper = 1234;
 char buffer[10];

 gets(buffer);

 if(strcmp(buffer, [REDACTED])==0) {
   correct = 1;
 }

 if(tamper!=1234) {
     printf("Alert! You hit the tamper switch!\n\n<!--correct = 0x%08x-->\n<!--tamper = 0x%08x-->\n", correct, tamper);
     exit(0);
 }

 if(correct==1) {
  printf("Login successful.\n\n<b>flag{REDACTED}</b>\n\nThe credentials to access this machine are \n\n<b>user:</b>REDACTED\n<b>password:</b>REDACTED\n");

 } else {
  printf("Sorry, password incorrect.\n\n<!--correct = 0x%08x-->\n<!--tamper = 0x%08x-->\n", correct, tamper);
 }

}

Upvotes: 0

Views: 262

Answers (1)

Marco Balo
Marco Balo

Reputation: 336

To exploit this program (if it's an assignment it will surely be compilated corretly to have buffer before correct) you need to overwrite correct with the int value 1.

The hex value of 1 is 0x1, the hex value of 1234 is 0x4D2

The structure of the stack will have to be:

        ________________
       |                |
       |      0x1       |  correct (sizeof(int) = 4)
       |                |
       |________________|
       |                |
       |     0x4D2      |  tamper (sizeof(int) = 4)
       |                |
       |________________|
       |                |
       |                |
       |                |
       |                |
       |    gibberish   |  buffer (10 * sizeof(char) = 10)
       |                |
       |                |
       |                |
       |                |
       |________________|
       |                |
       ..................
       ..................
       ..................

Unfortunately you will have to be aware of endianness, too: 0x1 will be in memory as 0x01000000 (x-86 architectures) or 0x0100000000000000(x-86_64 architectures). The same will be applied to tamper.

NB: If you don't want to convert indianness yourself you can just use functions p32 or p64 in pwntools library

Also notice that a lot of values inside the tamper and correct will be non-printable.

Upvotes: 0

Related Questions