ELF x86 Stack BOF basic 1

ELF x86 - Stack buffer overflow basic 1

Here is the C code which is given in the chall.

C code

#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
 
int main()
{
 
  int var;
  int check = 0x04030201;
  char buf[40];
 
  fgets(buf,45,stdin);
 
  printf("\n[buf]: %s\n", buf);
  printf("[check] %p\n", check);
 
  if ((check != 0x04030201) && (check != 0xdeadbeef))
    printf ("\nYou are on the right way!\n");
 
  if (check == 0xdeadbeef)
   {
     printf("Yeah dude! You win!\nOpening your shell...\n");
     setreuid(geteuid(), geteuid());
     system("/bin/bash");
     printf("Shell closed! Bye.\n");
   }
   return 0;
}

Let's access the server via ssh. and try to solve the chall.


ssh -p 2222 [email protected]

Here, we have some files which got my attention.

We have a .passwd file, and it seems like there we can get the flag for the chall. Unfortunately. we cann't access the file, as we don't have access for it.

Now, let's dive into the vulnerable code and spawn the shell,

We have char buf[40]; buffer set but the program allows fgets(buf, 45, stdin); 45 long buffer. So, my metholodogy will be

The check variable is stored right after the buffer in memory.
By overflowing the buffer, we can overwrite check.
We need to change check to 0xdeadbeef.