[io64][smashthestack] level 3: no proper bound checking

Let’s tale a look at the source code:

With C code, one can quickly spot the problem: the for loop is iterating on 17 elements of the buffer instead of 16, this is caused by the “<=” sign.

This means one could  overwrite the lsb of the fp pointer, and this is exactly what we are going to do with the help of radare2 !

We need to get the function f’s address and see how we could directly jump to the execve call

After analysis, it appears the function f has address 0x0040054c , and the execve call starts at 0x0040057c (arguments passing) .

This means we need to write 16 bytes followed by 0x7c:

And we’re ready to go to the next level 🙂

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *