Let’s start by looking at the source code of the challenge.
Firstly, we have a
volatile int modified variable statement. This statement tells the compiler that it should not optimize it by any means. This means that this variable is open to modify somewhere else during the execution and the compiler is forced to reload the variable every time. Read more at Wikipedia.
After that we’re going to copy the contents of
argv into buffer. Notice how we’re using
strcpy() function that won’t care about the size of the destination buffer, we can simply copy 1000 bytes into 64 bytes buffer resulting in buffer overflow. That’s why we should be using
strncpy() function that takes another argument - number of bytes to copy.
In last section of code we have
if(modified == 0x61626364). As the
modified variable is equal to
0 we have to modify it with a previously detected buffer overflow vulnerability. But firstly, let’s take a look at the disassembly of this program.
First thing what we can see is that in this line
DWORD PTR [esp+0x5c],0x0, value
0x0 is moved into stack with offset 0x5c. That’s the
modified variable. At the next arrow we can see
lea eax,[esp+0x1c], so the variable passed to the parameter passed to the function
strcpy() is located at
esp plus offset
0x1c. That’s our buffer. We can also check that by substracting both addressed. The difference should be the size of buffer, so 64 bytes.
Let’s take a look at this simple stack representation, showing the local variables that are put onto the stack.
If we supply the program with number of elements smaller than 64, then it will run without smallest problem.
But what will happen if we overflow the buffer with 2 ‘A’ letters bigger than the allocated size, so in this case 64 ‘A’ letters.
As you can see, our
modified variable gets overwritten as it’s the next variable on the stack.
Now we have to make sure that this check
modified == 0x61626364 is correct. Firstly let’s convert them to characters.
But we have to remeber that values in memory are stored in little endian. Read more here. Basically we have to revert the values into
Keep learning and stay safe! ~ W3ndige