vuln; the latter is an
ELFfile, which is the executable format for Linux (it is recommended to follow along with this with a Virtual Machine of your own, preferably Linux).
radare2to analyse the behaviour of the binary when functions are called.
-druns it while the
-Aperforms analysis. We can disassemble
s mainseeks (moves) to main, while
0x080491bb, so let's break there.
dbstands for debug breakpoint, and just sets a breakpoint. A breakpoint is simply somewhere which, when reached, pauses the program for you to run other commands. Now we run
dcfor debug continue; this just carries on running the file.
unsafeis called; let's analyse the top of the stack now:
0xff984af0, is the position; the
0xf7efe000is the value. Let's move one more instruction with
ds, debug step, and check the stack again.
0x080491c0. This looks like it's in the binary - but where?
unsafe. Why? This is how the program knows where to return to after
unsafeand break on the
retis the equivalent of
pop eip, which will get the saved return pointer we just analysed on the stack into the
eipregister. Then let's continue and spam a bunch of characters into the input and see how that could affect it.
ret, the value popped into
eipwon't be in the previous function but rather
0x41414141. Let's check with
0x41414141. Let's run
dr eipto make sure that's the value in
radare2is very useful and prints out the address that causes it to crash. If you cause the program to crash outside of a debugger, it will usually say
Segmentation Fault, which could mean a variety of things, but usually that you have overwritten EIP.
fgets()can prevent such easy overflow, but you should check how much is actually being read.