Thursday, September 17, 2015

Gera's Insecure Programming by example: Warming up on the Stack #3

Today's post is going to cover the third Gera exercise of Warming up on the Stack.  This will be similar to the previous post and explore non-printable keyboard characters as input to solve the challenge.  The code below is the stack3.c program:

/* stack3-stdin.c *
 * specially crafted to feed your brain by gera */

#include <stdio.h>

int main()
{
      int cookie;
      char buf[80];

      printf("buf: %08x cookie: %08x\n", &buf, &cookie);
      gets(buf);

      if(cookie == 0x01020005)
            printf("you win!\n");
}

We can see that it's similar to the previous challenge.  The subtle difference this time is the 0x00 character.  We can see that in the ASCII chart, it's "null".  Let's get this program compiled!


Analysis

Ensure that you have the program code above compiled as shown in the previous post.  Compiled?  Warnings?  Awesome.  Let's move forward.

1.  Open up a Terminal window if you don't already have one open
2.  Browse to the location of stack3 if you aren't already there
3.  Run it:
./stack3

4.  Type in some letters and press Enter:
AAAA







5.  Nope, you win again stack program!  Let's use some Python.
6.  In Terminal, type in and press Enter:

python -c 'print "A" * 80 + "\x05\x00\x02\x01"' | ./stack3



Nice.  Looks like it was a pretty simple one today!  Even with the addition of the "null" character, we're still able to pass the program the key to the challenge.  The fourth and fifth challenges look to add a bit more challenge to the series.  Stay tuned!

No comments:

Post a Comment