I am currently completing a CTF exercise where i must attempt to overwrite a function pointer on the stack through a buffer overflow here is the code:
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char *gets(char *);
void complete_level() {
printf("Congratulations, you've finished :-) Well done!\n");
exit(0);
}
int main(int argc, char **argv) {
struct {
char buffer[64];
volatile int (*fp)();
} locals;
locals.fp = NULL;
gets(locals.buffer);
if (locals.fp) {
printf("calling function pointer @ %p\n", locals.fp);
fflush(stdout);
locals.fp();
} else {
printf("function pointer remains unmodified :~( better luck next time!\n");
}
exit(0);
}
The code will get input using the vulnerable gets() function and store it inside the buffer called buffer.
Since buffer is the largest variable in the struct it will allow me to overwrite variables below it on the stack. The next variable is the function pointer called fp.
In order to overwrite fp (and make it point to complete_level) i will need to find the address of the complete_level function in memory. Then write "A" 64 times, then write the functions address.
The problem i have is that i cannot find the address of the function.
So far i have tried objdump however that gives me a offset and not the full address:
objdump -M intel -d 3 | grep complete_level
1184: 80 3d 8d 2e 00 00 00 cmp BYTE PTR [rip+0x2e8d],0x0 # 4018 <completed.0>
11ac: c6 05 65 2e 00 00 01 mov BYTE PTR [rip+0x2e65],0x1 # 4018 <completed.0>
00000000000011c9 <complete_level>:
Here is an output of the executable under the file command:
3: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=11a5f76e0d40b7f4fdc53d4dd60faac9f9e405be, for GNU/Linux 3.2.0, not stripped
Why is it not showing the full address? Also how can i get the full address of the function complete_level?
just use gdb and crack it like i did here.
look at registers closely and see what moves where, when calls happen, etc...