This is smaller than 8 characters and will not overflow: 1Ġ0:0000│ 0x7fffffffd950 -▸ 0x002121616A6E696E \0!!ajninĪ longer input would overflow in the higher-addresses of the stack. Let's fast-foward after the two instructions sub/lea, which allocate space on the stack (the equivalent of char buff ). That's how functions are coded in assembly! This will be used by the ret instruction at ↖secret, which will pop this address into the instruction pointer EIP, causing the execution to resume at ↖main. If we analyze the stack right after the call instruction at ↖main, we see that the call pushed the return address 0x40057f on top of the stack : 1Ġ0:0000│ 0x7fffffffd968 -▸ ↖0x40057f (main+29) Here we use the excellent pwndbg as an "upgrade" to gdb. Pwndbg> disassemble secret 0x00400546 : push rbp We compile this with gcc example.c -o example, and take a look at the assembly code: 1Ġx00400566 : mov edi,0x400620 "There is no spoon." The interesting behavior can be demonstrated with this simple C program: 1Ĭhar buff gets(buff) //no size check The well-known attack is to inject shellcode via one input of the program, and then override the instruction pointer to execute the injected code. When the program does not sanitize inputs ( e.g., when size checks are not done correctly), it is sometimes possible to deviate from the normal execution flow. It is notably used to keep track of the return point (the return address) after running a subroutine plus, the data used locally by a function is usually written on the stack. The stack is a part of a program's memory (another well known part is the heap).
STACK SMASHING DETECTED CODE
In particular, *** stack smashing detected *** is printed *after* printing the robot so some code is still executed before crashing. Interesting! we managed to make the program crash, and with a verbose error. Welcome to the rise of the machines aaaaaa. We try to input a long string of chars: 1Īaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaībbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb (side note: by running the remote program, we learn the length of the real flag it's too long to be bruteforced, of course). So there is a function that reads the flag, but instead of simply displaying, this function replaces the chars by * beforehand. Locally, we create this file with dummy contents, but on the server it contains what we want. This program reads a file flag.txt which looks darn promising. \babyfirst, hoping for some low-hanging fruits, but without success. I hope we won't have to understand the source from those instructions only. 1īabyfirst: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, \
STACK SMASHING DETECTED OFFLINE
The latter indicates that we will probably need to do something with that binary, as opposed to directly trying injections on the remote instance plus, it is natural to start by analyzing the offline material we are given. You start with two things: a network address where a program runs (you can connect via ssh and interact with it), and the binary of that program, babyfirst.