Stack 0

About

Source Code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

Analysing the Source Code

By looking at the source code we see that to solve Stack 0 we need to find a way to set the modified variable to not 0. At line 8, a character array of 64 bytes is set, then modified is set to 0 and the program calls the gets function at line 11 which stores our user input.

Looking at the gets man page we can see that is a vulnerable function.

Debugging the binary with GDB

We run the binary on GDB, set the disassembly syntax to Intel with the command set disassembly-flavor intel and disassemble main with the command disas main.

Above we can see the instruction where modified is set to 0 before the call to the gets function, and after that modified is there stored on eax and then tested if its 0 with the instruction test eax, eax.

We place a breakpoint at the address after the gets function and provide some A as input. What we want to analyse is where our A's are placed on the stack, and what is the value of esp+0x5c which is our modified variable, as well as if we can change it.

The first thing we notice is that our A's show up in the stack represented by their hexadecimal value 0x41. Then when we see the content of esp+0x5c we can see that its still 0 , but we can see where it is stored on the stack. We count how many more character we need to overwirte the modified variable to overwrite the 64 char array and overflow the variable. So let's try it.

We have successfully modified the modified variable. Using python we can modify the variable through the command line.