Another challenge from pwnable.kr will show us how to perform a simple buffer overflow attack.
This time we’re going to download the source code and the binary from the webpage. After that we’re ready to analyze whatever this challenge brings to us.
Firstly, we can see that this application is vulnerable to overflow, since gets() function won’t cut the characters after the buffer. Let’s see man pages.
Since the best way to execute /bin/sh is to make the the comparision true, we will have to overflow the buffer, and change the value of the key parameter. Game plan is to find out the address of the key, and then the address of
overflowme. This will allow us to calculate the offset between those 2 addresses, resulting in the number of trash data that has to be put into the buffer.
Let’s fire up gdb, and disassemble main() function.
Here we can see that at main+9 the 0xdeadbeef is moved into the esp. In order to find the address of this variable we will have to set up breakpoint at main+16, and view the content of stack pointer.
Great, we have it! Now we have to find the address of overflowme buffer, which lays in the func function. Let’s disassemble it.
Since we know that local variables are on the negative size of ebp (read more), we can guess that ebp-0x2c is the address of overflowme variable. Let’s set another breakpoint at gets and find out if it’s true.
Now we’re ready to calculate the offset between those two addresses.
Ready to exploit?
By printing 52 A letters and the number used in comparision (stored in little endian format), we were able to exploit this application.