0

I'm doing this exercise on ROP and I'm given a stripped binary that when disassembled with ghidra gives

void secret(long num,char *str){
  if(num == 1){
    pass = strcmp(str, "Hewhewbrew")
    if(pass == 0){
      puts("you win!")
    }
  }
}

void io(){
  char local_9;
  
  fgets(&local_9, 0x3c, stdin);
  return;
}

int main(){
  setvbuf(stdin,NULL,2,0);
  setvbuf(stdout,NULL,2,0);
  puts("Enter input");
  io();
  return 0;
}

that's the gist of the source that I can gather, it's not the exact thing ghidra spits, but the code is so simple I can't think of anything in it to exploit

Cheesewaffle
  • 45
  • 4
  • `fgets` allows up to 0x3c (60 base 10) input characters, and `local_9` can only hold one. An overflow vulnerability like that opens the door for exploitation. Looks like you're supposed to overwrite the return address in `io` with `secret`'s address and pass it 1 and the string `"Hewhewbrew"`. – yano Aug 24 '22 at 14:20
  • The `io()` function allows you to overwrite its stack memory. By providing the correct input, you can change this function's return address so that it points to `secret()`. You can also store the password string in memory, and the arguments required by the `secret()` function. Search for "stack smashing" for more details. – r3mainer Aug 24 '22 at 14:25
  • Well what if the address happens to contain a byte with 0x10 in it... `fgets` would just go "eww line feed, no way I'm touching that". – Lundin Aug 24 '22 at 14:37

0 Answers0