scanf [PWN]
intger overflow lead to memory leak
Let`s read source code of Program
now the program have two function get_secret() and main()
the first function read secret code from secret.txt and return the secret code to user
and main() function have two intger variables number1 and number2 and two string variable input[64] and secret[64] use strcpy to copy secret code from get_secret() to secret variable, and he take two inputs from user the first input is number1 and the second input is input[64]
the scanf used format specifier %lld and the variable is SIGNED INTEGER thats make problem because the maximum int value is 2147483647
and the scanf take the input as long long int and it is write data from number2 to user that make memory leak
and the second input is take input from user and compare if the input equal to secret code execute /bin/sh if not equal print message and exit
Idea of attack
send -1 to first input that biggest number uses for 64bit long long int, and the variable is just int 32 bit that make memory leak
-1 is 0xffffffffffffffff in memory
when leak the memory we get the secret code and send at to execute /bin/sh
now we create script for leaking secret code
now we leaked the secret code successfully now we need to send it to the second input to execute /bin/sh
thank you for reading my writeup.
Last updated