stackoom
  简体   繁体   中英

I have a buffer overflow assignment like this, I set the correct varaible to the HEX value of 1 (31) and still nothing, how do I solve this

 原文  2022-05-15 03:29:55       c/ buffer/ exploit

Question

How do I set the value of correct to 1 with an buffer overflow exploit? When I pass nothing to this the value of temper is 4D2 which is hex for 1234, but when I overflow the buffer with lets say 10 A's followed by 1234 -> AAAAAAAAAA1234 temper gets changed to 0x34333231, I don't understand this, can somebody help?

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>


int main(int argc, char **argv)
{
 volatile int correct = 0;
 volatile int tamper = 1234;
 char buffer[10];

 gets(buffer);

 if(strcmp(buffer, [REDACTED])==0) {
   correct = 1;
 }

 if(tamper!=1234) {
     printf("Alert! You hit the tamper switch!\n\n<!--correct = 0x%08x-->\n<!--tamper = 0x%08x-->\n", correct, tamper);
     exit(0);
 }

 if(correct==1) {
  printf("Login successful.\n\n<b>flag{REDACTED}</b>\n\nThe credentials to access this machine are \n\n<b>user:</b>REDACTED\n<b>password:</b>REDACTED\n");

 } else {
  printf("Sorry, password incorrect.\n\n<!--correct = 0x%08x-->\n<!--tamper = 0x%08x-->\n", correct, tamper);
 }

}

1 answers

solution1
 0  2022-05-15 09:49:11

To exploit this program (if it's an assignment it will surely be compilated corretly to have buffer before correct ) you need to overwrite correct with the int value 1.

The hex value of 1 is 0x1 , the hex value of 1234 is 0x4D2

The structure of the stack will have to be:

        ________________
       |                |
       |      0x1       |  correct (sizeof(int) = 4)
       |                |
       |________________|
       |                |
       |     0x4D2      |  tamper (sizeof(int) = 4)
       |                |
       |________________|
       |                |
       |                |
       |                |
       |                |
       |    gibberish   |  buffer (10 * sizeof(char) = 10)
       |                |
       |                |
       |                |
       |                |
       |________________|
       |                |
       ..................
       ..................
       ..................

Unfortunately you will have to be aware of endianness, too: 0x1 will be in memory as 0x01000000 (x-86 architectures) or 0x0100000000000000 (x-86_64 architectures). The same will be applied to tamper .

NB : If you don't want to convert indianness yourself you can just use functions p32 or p64 in pwntools library

Also notice that a lot of values inside the tamper and correct will be non-printable.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how do i solve this stack overflow error? How do I check for nothing in the input buffer/stream in C? How do I send raw bytes interactively for a buffer overflow exploit? How do I prevent a char pointer buffer overflow? How do I prevent buffer overflow converting a double to char? I can't solve this error : heap-buffer-overflow on Leetcode How can I invoke buffer overflow? How do I properly reset buffer so next read is correct? How do I keep hex formatting when I get a hex value from an array in C? How do I represent a hex value in a python string?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM