Hacker News new | past | comments | ask | show | jobs | submit login

Same, the only thing I can think of is doing something with the pointers in the fns variable in main, but I can't quite figure out what to do.



Yeah, I'm stuck on level 3 as well. I see the printf() bug in capitalize(), but I don't think it's any help. I don't see anything obviously wrong in truncate_and_copy() (the strncpy() call and friends look right). run() is the juicy target, and I know where it's at in memory. There's the obvious comparison bug in main(), and I can use that to call a function pointer other than in the array, but I can't seem to locate a pointer to run(). I thought there might be a way to overflow atoi(), but that doesn't seem useful either.

Several posters have hinted at buffer overflow, but I'm not yet seeing a buffer that I can overflow.

[edit: Nevermind, I got it. Whew.]


Did you really end up using buffer overflow? I've been trying to overflow a different quantity all this time, and I'm quite sure you can't buffer overflow..


Right--no buffer overflow. I did find a way to get my needed function pointer on the stack. Hint: we're lucky that the function pointer doesn't have any null bytes in it...


Any hints? :)


I've been playing with nm, but without a hex editor I feel crippled :/


gdb works fine.

  (gdb) x/4x fns
0xffeaa0cc: 0x080485e4 0x08048640 0x0804869c 0x08048719

  (gdb) x run
0x804875b <run>: 0x83e58955

  (gdb) gdb) x/40x (void*)fns-0x40
etc.


Well, I got my math right to tweak the index I think and now the system is unavailable. Blasted!


You could also use objdump -d to decompile the binary.


Neither can I... ):




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: