Hanoi

Let's set a breakpoint as is standard practice.

This time it only calls one function:

• login

Let's investigate how this function exactly works. Set a breakpoint using break 4520.

We can see the getsn call is what takes the user input. And in the next instruction at 4540, the user input is stored at memory address 0x2400.

The instruction at 455a compares the byte at memory address 0x2410 with 0x97.

If we look at that address, we can see that it is filled with zeroes. We can also do this using the R 0x2410 command.

> R 2410 
2410 0000 0000 0000 0000 0000 0000 0000 0000  ................ 
2420 0000 0000 0000 0000 0000 0000 0000 0000  ................

Since our input is stored at 0x2400, we can overwrite the byte at 0x2410 with 17 bytes minimum. As we are only supposed to enter up to 16 bytes, we are essentially performing a buffer overflow.

Let's try that out. This time we will enter user input in hexadecimal.

If we continue through the program execution, we are greeted with the following message.

We just exploited our first LockIT lock with a buffer overflow.