Posted on March 9, 2017 as Overthewire.
Today we'll be dealing with another reverse engineering challenge from Overthewire - pretty quick, but fun as always!
This code is a lot shorter, compared to the previous ones, making it much easier to analyze.
Yeah, we have a buffer of 256 bytes, which gets the content, using dangerous strcpy function straight from the argument variable. This challenge looks a lot like the second one, so maybe we will also be able to put shellcode somewhere in the buffer?
Actually, after a little bit of tinktering in gdb, I've found that providing the binary with 273 "A" letters and 7 "B" letters will overwrite our buffer, together with return address.
Now let's take a look at the memory.
From this we know that we have somewhere around 272 bytes for the shellcode with some additional bytes that will overwrite the return address. Now we can construct the command, using code from the previous levels.
As we already know that our payload is 25 bytes in size, we will have to: firstly write 247 "A" letters, then 25 bytes of shellcode and lastly overwriting the EIP register, which then will be placed somewhere in the middle of "A" letters. By looking at the debug of the memory, I'm going to choose it as 0xffffd850.
Once again we have the password to the next level!
Another big thanks to OverTheWire! I'm looking forward to the next challenges!