0

Note: this is extra credit for a homework assignment

I'm trying to figure out how to call win() via stdin. I assumed that the vulnerability would be exploited by a buffer overflow, but I can't even figure out how to overflow the buffer (if I input a 45-character string, it prints all 45 characters). What sort of vulnerability should I be looking for here, and how would I go about exploiting it?

int win()
{
    printf("Great Job\n");
    exit(0);
}

int main()
{
    char buffer[40];
    unsigned long long target;

    scanf("%s", buffer);
    printf("You sent: %s\n", buffer);
    exit(1);
}
Improve this question
3
  • You are indeed overflowing the buffer if you are able to store 45 bytes where there is only space for 40, no? Is this really all of the code? Seems odd that target is defined but not used. As is, you could maybe leak some addresses, but after a quick look, I don't see a way to hijack execution flow as it stands (due to the exit()). Commented Nov 21, 2020 at 0:21
  • @multithr3at3d yep, this is all the code provided. I've been trying to overwrite the eip for the better part of 2 days now with no luck. If I understand the layout correctly, 40 characters fills the buffer, another 4 overwrites the ebp, and the next 4 will overwrite the eip. However, nothing I do manages to touch the value in eip. I can change the ebp with ease, but the eip doesn't budge. so I think you're right, there doesn't seem to be a way. Commented Nov 21, 2020 at 1:03
  • Keep in mind that you actually aren't overflowing into any of those registers until they are actually popped off the stack during leave/return. Problem is, you never reach the return of main because of exit(). Commented Nov 21, 2020 at 14:31

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.