42_Override/level07/walkthrough

# Level07

Using hexrays, we can decompile the code and see a fascist code.
Basically it has 2 functions, `store_number()` and `read_number()` that writes or reads data to a 400 bytes buffer directly through the index.
The issue here is that there's no protection on the write to the buffer (except `index % 3`).
Since the buffer is on the stack, we could overwrite `eip` and replace it by whatever we want.
First, we will need to determine `eip`'s offset to the buffer. To achieve this, let's use `gdb`.
We want to break before a call to `store_number` for example (since it has only one argument, `data` buffer will be in `eax`). We then print both the registers and the stack frame (`info registers` and `info frame`).
We get the adresses of `eip` and `eax` now let's get the offset. Simply substract both addresses: `0xffffdc3c - 0xffffda74 = 456`.
So, at data[456] we have `eip`.
We still have 2 issues with this. The first is that the index we input is multiplied by 4 so we have to input `456/4 = 114`, so the real offset is 114.
But remember the program prevents us from writing to `index % 3 == 0`.
If we input a large number (e.g. `1e20`) into `read_number()`, we see that it is truncated to `MAX_UINT`.
We could probably use this to overflow and still print at index 114.
Let's find the value to overflow to to get 114:
`(MAX_UINT + 1) / 4 + 114`
Which is the overflow value for the input index (write to data[index * 4]) + 114. Once we have that, it's almost done.
All we have left to do is replace `eip` by a call to `system("/bin/sh")`.
Using gdb, we find both addresses (refer to level04 for the exact process).
Here, `system == 0xf7e6aed0` and `"/bin/sh" == 0xf7f897ec`.
We want to put `0xf7e6aed0` in `eip` and `0xf7f897ec` at `eip + 8` (which is eip's index + 2 in `data` since it's multiplied by 4).

Here is the final exploit:
`(python -c 'print "store\n" + "4159090384\n" "1073741938\n" + "store\n" + "4160264172\n" + "116\n" + "quit\n"'; cat) | ./level07`