exploiting a buffer overflow for security class

[baysidelinux]

Hello,
I am in a Unix security class and we have this program with a bufferoverflow to exploit. There are 2 files on the system one called /etc/games.hiscore & /etc/games.usrpasswd. They both have the same permissions as /etc/shadow and owned by user games. I have to run a program called /usr/local/bin/chkscore. This program runs setuid to set userid on the above files to root.

The program asks for your name at input. the only reason for this name string is to hold a place in memory next to the name of the string2 which is the games.hiscore file. The overflow is in this name string. This string can be made to invade memory space of string2.

I wrote a script like this:
#/bin/bash
cat data2 | /usr/local/bin/chkscore


the data file contains:
aaaaaaaaaaaaaaaaaaaaaaaaaa./hack


The aaaaa's is the junk I need for filler to make the buffer overflow. The ./hack script contains: hack /etc/games.userpasswd. When they allign just right the ./hack script should be called by the chkscore program and set my script to run as root and then cat out the password file to th e screen instead of the high scores.
I dont know if it works, but I tried many combinations of chars and it still dont line up right. If I set the chars less than 31 the program works as normal because the buffer breaks after 30 chars.

If anybodywho knows about this could look at the code and let me know if I am on the right track, it would be much appreciated.
Thanks,
art

[sarumont]

Locking this thread...unfortunately, though a valid question (i.e. - not asking us to do your homework for you), it's still on the border being about exploiting bugs in code. Please re-ask the question in a more specific-to-code (i.e.-not having to do with exploits) question.