level05: done (exploit modified to a better shellcode)

level07: walkthrough done level08: done level09: done
2025-05-15 14:00:44 +02:00
parent 4a88b55e23
commit a3ea938eb1
12 changed files with 74 additions and 29 deletions
--- a/level07/walkthrough
+++ b/level07/walkthrough
@ -5,7 +5,7 @@ Basically it has 2 functions, `store_number()` and `read_number()` that writes o
 The issue here is that there's no protection on the write to the buffer (except `index % 3`).
 Since the buffer is on the stack, we could overwrite `eip` and replace it by whatever we want.
 First, we will need to determine `eip`'s offset to the buffer. To achieve this, let's use `gdb`.
-We want to break before a call to `store_number` for example (since it has only one argument, `data` buffer will be in `eax`). We then print both the registers and the stack frame (`info registers` and `info frame`).
+We want to break before a call to `store_number()` for example (since it has only one argument, `data` buffer will be in `eax`). We then print both the registers and the stack frame (`info registers` and `info frame`).
 We get the adresses of `eip` and `eax` now let's get the offset. Simply substract both addresses: `0xffffdc3c - 0xffffda74 = 456`.
 So, at data[456] we have `eip`.
 We still have 2 issues with this. The first is that the index we input is multiplied by 4 so we have to input `456/4 = 114`, so the real offset is 114.