Vega (Launched 1999)
- Password: whyishould
- (20 points)
Table of contents
Vega was a spacecraft developed in a joint mission between Caltopia and the Gobian
Union. However, since Caltopia used all uppercase in its software, and the Gobian
Union used all lowercase, a utility was needed to convert between uppercase and
lowercase. Hack into Vega to learn the truth about EvanBot.
Starter files
The exploit
script in this question is slightly different. The output of egg
is used as an environment variable, which means its value is placed at the top of the stack. The output of arg
is used as the input to the program.
Debugging
debug-exploit
will automatically set up the environment variable and feed the output of your arg
script into the C program.
Tips
-
It might help to read Section 10 of “ASLR Smack & Laugh Reference” by Tilo Müller. (ASLR is disabled for this question, but the idea of the exploit is similar.)
-
It might also help to read Section 3.5 (off-by-one vulnerabilities) of the memory safety textbook page.
-
Environment variables are stored at the special pointer variable
*((char **)environ)
. To see the address of environment variables in gdb, you can run(gdb) x/2wx *((char **)environ) (gdb) x/2wx *((char **)environ+1) (gdb) x/2wx *((char **)environ+2)
-
It may take some trial-and-error to find the output of
egg
among the environment variables. One way to confirm you have the right address is to runx/2wx [your address]
and check that gdb displays what you put inegg
. -
There is a slight chance (1 in 256) that your VM customization causes the value of the sfp to end in
\x00
, which makes this question much harder to solve. You can resolve this by printing out extra garbage bytes in youregg
script (after whatever you were printing before), which pushes the rest of the stack to different addresses.
Deliverables
Two scripts (egg
and arg
) and a writeup. Make sure the scripts work by running ./exploit
.