05 - passcode
The Challenge
Mommy told me to make a passcode based login system. My initial C code was compiled without any error! Well, there was some compiler warning, but who cares about that?
ssh passcode@pwnable.kr -p2222 (pw:guest)
Examining the Code
The main function calls welcome and login directly after
Welcome
It receives a 100 character string, prints it, and then exits. This can not be overflown but may be used later.
Login
It seems we need to make passcode1 and 2 equal to 338150 and 13371337, but proper examination shows that we can't write input into these variables because scanf is misused! Both variables are missing & at scanf call, and so we will change the variable pointers, not value.
Executing the Binary
First execution - passcode1 is a number
Second execution - passcode1 is a string
It seems the program is not interacting properly with regular input. What's going on?
Let's debug this thing.
Debugging
We'll examine the stack at the beginning of login after inputting the longest allowed input, all made of 'a'.
Some of the input made its way here. Does this help us? Look closely
This is the location of passcode1. What do we find there?
The last four bytes of our input! So, we can control the value of passcode1. What can be done with it?
If you recall the examination of the code, the value requested from the user will be written to the location pointed by passcode1. Where should we make it point?
The GOT Table
TODO
Last updated