Stack Zero
This level introduces the concept that memory can be accessed outside of its allocated region, how the stack variables are laid out, and that modifying outside of the allocated memory can modify program execution.
Source code
As we can see a modified
variable is initialized which has the qualifier volatile
is created. The volatile
qualifier tells the compiler to not optimize the usage of the variable as it can be changed at any time.
Afterwards, a buffer of 64 bytes is created.
The variable is later initialized to 0
.
The gets
system call is used to read user input into the buffer. This syscall is infamous for it's bugs.
Let's look at the manual page.
So the gets
syscall stores characters past the end of the buffer. This essentially breaks the limit set on the buffer which means we can input more than 64 bytes.
This is the vulnerability that we have to exploit.
But before that let's go through the rest of the code.
There is an if
statement which checks if the value of modified
in not equal to zero. If it is not equal to 0, it prints out a string else
it prompts us to try again.
We have to overwrite the modified
variable using a buffer overflow. For that we have have to know where the modified
variable is located.
Let's disassemble the program in gdb
.
Look at the instruction at main+9
.
We can see that the variable is located at esp+0x5c
and is set to zero using dereferencing.
Next, we want to locate the buffer.
In 32-bit assembly the arguments for a call
are stored onto the stack
.
In our program the gets
syscall takes the location of the buffer as argument. This buffer is located at esp+0x1c
.
The distance between the location of the modified
variable and the buffer is the following:
The variable is located right where the buffer ends.
Therefore we need 65 bytes in total, 64 bytes to fill the buffer and 1 byte to overwrite the modified
variable.
Exploit
We can also use python
to craft the exploit.
Last updated