ELF x86 - Stack buffer overflow basic 1
Here is the C code which is given in the chall.
C code
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
int main()
{
int var;
int check = 0x04030201;
char buf[40];
fgets(buf,45,stdin);
printf("\n[buf]: %s\n", buf);
printf("[check] %p\n", check);
if ((check != 0x04030201) && (check != 0xdeadbeef))
printf ("\nYou are on the right way!\n");
if (check == 0xdeadbeef)
{
printf("Yeah dude! You win!\nOpening your shell...\n");
setreuid(geteuid(), geteuid());
system("/bin/bash");
printf("Shell closed! Bye.\n");
}
return 0;
}
Let's access the server via ssh. and try to solve the chall.
ssh -p 2222 app-systeme-ch13@challenge02.root-me.org
Here, we have some files which got my attention.
We have a .passwd file, and it seems like there we can get the flag for the chall. Unfortunately. we cann't access the file, as we don't have access for it.
Now, let's dive into the vulnerable code and spawn the shell,
We have char buf[40]; buffer set but the program allows fgets(buf, 45, stdin); 45 long buffer. So, my metholodogy will be
- The
checkvariable is stored right after the buffer in memory. - By overflowing the buffer, we can overwrite
check. - We need to change
checkto0xdeadbeef.
Let's quickly check for the binary protections and jump right into it.
hmm. looks simple.
Here I'm giving the exact 40 long buffer and see what it return.
Well, as expected, providing extra 4 bytes (\xef\xbe\xad\xde) to overflow into check and we can now overwrite it with 0xdeadbeef.
if ((check != 0x04030201) && (check != 0xdeadbeef))
printf ("\nYou are on the right way!\n");
if (check == 0xdeadbeef)
It closed the shell immediatly, Let's try run cat to keep stdin open.
Wallah, we got the shell.