19 lines
1.5 KiB
Plaintext
19 lines
1.5 KiB
Plaintext
# Level02
|
|
|
|
Using ghidra, we can decompile the code and see that it reads the password through a file stream and stores it in a buffer.
|
|
Then, there are 2 calls to `fgets()`, the first one being used as the format string to `printf()` later on.
|
|
We can use this to print whatever we want (e.g dump the stack, change variables).
|
|
Our goal here will be to change the address of the second buffer (`buff` in the code) to the GOT value of `exit()`. This will then allow us to write whatever we want at this address when the second `fgets()` will be called (here, the address of the `system()` call).
|
|
|
|
To do so, we will first dump the stack to know where the buffer is located.
|
|
Let's print something basic like `print("AAAA" + "%x"*20)`. We can see that 0x41414141 (= "AAAA") is printed at the 8th position in the stack.
|
|
Now that we know where our buffer is located on the stack, let's exploit printf.
|
|
|
|
By using the `%n` flag, we can change the value of a variable to the length of what's been printed before (here, the GOT address of `exit()`).
|
|
To do this, we just need to print 4196997 (the address of the `system()` call) using `printf()`'s padding feature. But since it will be executed at the call to `printf()`, we first need to modify the value of `buff` (the buffer at the 8th position on the stack) in the 2nd `fgets()`.
|
|
All we have to do is put the GOT address of the `exit()` instruction in `buff`.
|
|
|
|
Here is the command:
|
|
`(python -c 'print("%4196997p" + "%8$n" + "\n" + "\x28\x12\x60")'; cat) | ./level02
|
|
`
|