Stack canaries and non$-$executable stacks make stack exploitation difficult. Such techniques, however, do not protect against return$-$oriented programming where only the return addresses on the stack are targeted. In this level, you control a single write into a vulnerable buffer in the function prompt$\_$user. Overflow the buffer to modify the return address beyond the stack canary so that it points to a function of your choice. The level will prompt you with an offset $($in decimal$)$ from the beginning of the buffer that will be written into followed by a hexadecimal value that will be written there $($e$.$g$.$ scanf$("\%$d $\%$x$")$;$).$ The program will then write the hexadecimal value to a location computed using the offset. To determine how close you are, examine the pointer being used to write into the stack and how far away it is from the value of $rsp when the retq instruction at the end of prompt$\_$user is reached.

The $.$c file:

#include

#include

#include

#include

#define USERDEF $44$

char msg$[]=$

"Stack canaries and non$-$executable stacks make stack exploitation difficult. Such

$"$

"techniques, however, do not protect against return$-$oriented programming where

$"$

"only the return addresses on the stack are targeted. In this level, you control

$"$

"a single write into a vulnerable buffer in the function prompt$\_$user. Overflow

$"$

"the buffer to modify the return address beyond the stack canary so that it

$"$

"points to a function of your choice. The level will prompt you with an offset

$"$

$"($in decimal$)$ from the beginning of the buffer that will be written into followed

$"$

$"$by a hexadecimal value that will be written there $($e$.$g$.$ scanf$(\backslash "\%$d $\%$x$\backslash ")$;$).$

$"$

"The program will then write the hexadecimal value to a location computed

$"$

"using the offset. To determine how close you are, examine the pointer

$"$

"being used to write into the stack and how far away it is from the value

$"$

$"$of $rsp when the retq instruction at the end of prompt$\_$user is reached.

$"$;

void print$\_$good$()\{$

printf$("$Good Job.

$")$;

exit$(0)$;

$\}$

void segv$\_$handler$($int sig$)\{$

printf$("$Segmentation fault. Try again.

$")$;

exit$(0)$;

$\}$

void print$\_$msg$()\{$

printf$("\%$s$",$msg$)$;

$\}$

void prompt$\_$user$()\{$

char buffer$[44]$;

int offset;

char $*$user$\_$addr;

char $**$over$\_$addr;

printf$("$Enter the password: $")$;

scanf$("\%$d $\%$lx$",$ &offset, $($unsigned long $*)$ &user$\_$addr$)$;

over$\_$addr $=($char $**)($buffer $+$ offset$)$;

$*$over$\_$addr $=$ user$\_$addr;

$\}$

int main$($int argc, char $*$argv$[])\{$

signal$($SIGSEGV$,$ segv$\_$handler$)$;

print$\_$msg$()$;

prompt$\_$user$()$;

printf$("$Try again.

$")$;

return $0$;

$\}$

I've tried $"440$x$0000000000401176"$ and $"440$x$401176"$ and $"450$x$0000000000401176"$ and $"450$x$401176".$