I'm trying to exploit a buffer overflow vulnerability to overwrite the return address of the stack.
However the code I'm trying to 'hack' makes use canary system. It initializes an integer always to the same hard coded value, 7, and checks to see later if that variable is still the same.
I can create a buffer overflow, and I can write over this variable, however I am having trouble writing the correct value. The buffer overflow is caused by the incorrect use of strcpy. The input is given through the contents of a file, shown below:
0000000: 6132 3334 3536 3738 395f 6232 3334 3536 a23456789_b23456
0000010: 3738 3907 00 789..
void getwd(char *path)
strcpy( path, mapped_path );
int canary = 7;
char path[MAXPATHLEN + 1];
if (getwd(path) == (char *) NULL)
printf("Couldn't get current directory!\n");
printf("Current directory = %s\n", path);
printf("max strlen(path) is %d, strlen(path) = %d\n", MAXPATHLEN-1, strlen(path));
printf("Canary should be 7. Canary = %d\n", canary);
if (canary != 7)
printf("ALERT: path[MAXPATHLEN + 1] has been overflowed!\n");
You would have to inject actual shellcode, that programmatically inserts the integer 7 at this specific position.
First step is to find the return address and set this to a particular position in the buffer.
Second step is to place a zero-free shellcode at the predefined position and let the shellcode set the variable to 7 again.
Zero-free shellcode is not hard to write, because of the many possible ways to zero out a variable without using the actual digit like
xor eax, eax (if you are familiar with assembly).
If you have never done this before, it would probably take much time to achieve this goal.