Stack 6 Source code The following is the source code for Stack 6 challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } Challenge In this challenge we again need to modify saved eip like stack 5 but our return address cannot start with 0xb if this happens binary will exit and we wont be able to get a shell so this challenge can be done in numberous ways i am going to use return oriented programming in this
Stack 5 Source code The following is the source code for Stack 5 challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge This is a classic buffer overflow challenge in which we need to inject our own shellcode and then modify the saved eip to point to that payload
Stack 4 Source code The following is the source code for Stack 4 challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge In this challenge we need to modify saved EIP in stack so that when the main returns instead of going back to caller function of main it goes to win function
Stack 3 Source code The following is the source code for Stack 3 challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } Challenge In this challenge we needed to modify the fp variable to address of win function so first we needed to find the address of win function which i did using gdb
Stack 2 Source Code The following is the source code for Stack 2 challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge the value of environment variable GREENIE is being copied to buffer and hence we need to set GREENIE environment variable with out playload that will overflow the buffer and will modify the value of modified to 0x0d0a0d0a so this can be done using export statement along with little python magic.
Stack 1 Source Code The following is the source code for Stack 1 Challenge
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge we needed to modify the modified variable with a specific value (i.