search
Personal WebsiteGithubLinkedIn

Stack Four

Stack4 takes a look at overwriting saved EIP and standard buffer overflows. This level is at /opt/protostar/bin/stack4

Hints

  • A variety of introductory papers into buffer overflows may help

  • gdb lets you do “run < input

  • EIP is not directly after the end of buffer, compiler padding can also increase the size.

hashtag
Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
{
  printf("code flow successfully changed\n");
}

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

In this program, we have the win function.

There is no initialized function pointer in the main function. There fore we will have to overwrite the saved eip, also known as the the saved return address.

The saved return address is located before the buffer.

That was a generalized representation.

We need the exact layout of the stack in order to craft our payload.

Set a breakpoint at main+21 and pass in the following input:

This will lead to segmentation fault.

The error message tells us that the value of stored eip was changed to 0x74747474 which is not a valid address. 0x74 is t in ASCII.

Let's try to get a clearer picture.

So the 77th, 78th, 79th and 80th bytes from our input overwrote the saved eip, and the four bytes before those which were ssss overwrote the saved ebp.

This means we need 80 bytes in total. 64 bytes to fill the buffer, 8 bytes of padding, 4 bytes to overwrite the saved ebp and 4 for overwriting the saved eip.

In order to alter control flow to the win function, we first need to know its address.

These four bytes need to be the 0x080483f4 address in little-endian format.

hashtag
Exploit

Last updated