With this challenge, I think things really start to get fun, and more real-world.
We are provided with the following C program:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
This C app will simply read a value from user input, and store it in “buffer”. We then need to get it to somehow execute “win()”.
To get started, just like in the last challenge, I used objdump to find out where “win()” was located:
1 2 3 4
Because we’re going to need to modify the EIP of this program, we need to find where it is. You may want to think that it would be immediately after the 64 bytes of the “buffer” array, however this is often times extra space due to null terminators, return values, and more. So I use some tools from the Metasploit Framework on another machine to find the EIP.
First, I generate a unique string, using the pattern_create tool:
Then I execute the vulnerable program in gdb, feeding it the unique string to the input:
1 2 3 4 5 6 7 8
Now I know that the EIP contains the value 0x63413563. I can go back to the Metasploit tools and run the pattern_offset tool to tell me the offset of the EIP:
This tells me that unlike the 64 characters I would have thought, it’s actually offset by 76 characters. So now we just have to get the address of “win()” (0x080483f4) into the EIP at 76 bytes offset:
1 2 3
There you have it. We get the execution from “win()”.