In this level, once we look at the source code, we see that the function good() would give us the shell if executed. That is our objective. The program checks to see if we have supplied 1 argument whose length is more than 4 characters. Then it proceeds to copy the value of our argument into buffer using memcpy(). It then sets the value of everything other than the last 4 characters of buffer to 0 using memset().

The functionpointer points to the function bad. It is then called after memset() whereupon we get the message on screen “I’m sorry, you’re at ……..”.

We can see that the functionpointer is declared right before buffer which opens up a possibility of a buffer overflow vulnerability. Also the functionpointer is called right after the contents of argv are stored into buffer.

So we need to change the value of functionpointer from the address of bad() to the address of good(). Easy right?

Once we run the program with some arbitrary input, we see get the address of good and bad from the screen. So now we need to make the functionpointer point to the function good() using the buffer.

The size of buffer is declared to be 50. So I tried giving a argument of 50 random characters followed by the address of good() in little endian. But I still got the same result.

The reason is that the compiler adds some extra space between buffers (if any) and save ebp. We can still find out the offset using gdb.

To do that, first set a breakpoint somewhere in the middle of the program and run it. Then try to find the starting address of the buffer. Once you’ve got that, the gdb command ‘info frame’ should tell you where the saved eip is.

You can use ‘p/d’ command in gdb to subtract both values and find the number of junk bytes required to overwrite ebp. In this case, it was 76

The address of good() is :0x08048474

Now running a python command ‘python -c ‘print “A”*76 +”\x74\x84\x04\x08” ‘ ‘ along with ./level03 gives you the shell. (\x74\x84\x04\x08 is the address of good in little endian).

Now cd into /home/level4 and get the password for the next level

#binary #bufferoverflow #smashthestack