Hanoi
Let's set a breakpoint as is standard practice.
This time it only calls one function:
login
Let's investigate how this function exactly works. Set a breakpoint usingbreak 4520
.
We can see the getsn
call is what takes the user input. And in the next instruction at 4540
, the user input is stored at memory address 0x2400
.
The instruction at 455a
compares the byte at memory address 0x2410
with 0x97
.
If we look at that address, we can see that it is filled with zeroes. We can also do this using the R 0x2410
command.
> R 2410
2410 0000 0000 0000 0000 0000 0000 0000 0000 ................
2420 0000 0000 0000 0000 0000 0000 0000 0000 ................
Since our input is stored at 0x2400
, we can overwrite the byte at 0x2410
with 17 bytes minimum. As we are only supposed to enter up to 16 bytes, we are essentially performing a buffer overflow.
Let's try that out. This time we will enter user input in hexadecimal.
If we continue
through the program execution, we are greeted with the following message.
We just exploited our first LockIT lock with a buffer overflow.