This is the main function taken from source code. We have 2 variables,
username which is a
char buffer of size 8, and
auth of type
auth is initialised with the value
0xcafebabe. User input is read using
scanf with the format specifier
%s. Our goal is to overwrite
auth to have value
0xdeadbeef which will result in us getting a shell, which we can use to obtain the flag.
The vulnerability here is caused by using the format specifier
scanf. The issue with this particular format specifier is that it reads input of any size and stores it in a buffer of fixed size. This may cause a buffer overflow, if input size exceeds the size of the buffer.
In this particular challenge this vulnerability allows us to write past the memory allocated for
username and into
auth. This allows us to modify the value of
auth. We can test the overflow by debugging the binary with
gdb and giving an input such as
AAAAAAAABBBB. The first 8 "A"s will fill the
username buffer. The remaining "B"s will overwrite 0xcafebabe stored in
Before reading input:
After reading input:
0x41 is the hexadecimal ASCII value of "A" and
0x42 is the hexadecimal ASCII value of "B". Hence it can be seen that we overwrote
auth with our "B"s.
Since data is stored in
little endian (reverse order for every 4 bytes), in order to get
0xdeadbeef in memory, we have to give input
- we have 2 variables,
usernamewhich is a
authwhich is an
- use buffer overflow caused by
usernamebuffer and overwrite
- check is passed and we are given a shell with which flag can be obtained.