# Level09

Using hexrays, we can decompile the code.
Here we have 4 functions:
- `handle_msg()` => has 3 variables on the stack. The first one is `char msg[140]`, the second one is `char username[40]` and the last one is `int len = 140`.
It calls `set_username(username)` and then `set_msg(msg, len)`.
- `set_username()` => write the username through stdin. 
- `set_msg()` => write the message through stdin in a buffer of 1024 bytes, then copies its content with an `strncpy(msg, buff, len)`
The 4th function is a "secret" function called `secret_backdoor()` which is our goal since it `fgets()` and gives our input to `system()`, thus allowing us to run `"/bin/sh"`.
There is 1 main vulnerability in this program. In the `set_username()` function, `char *username` is being written to through `fgets(buff, 128, stdin)`, then copy the content of `buff` to `username` through a loop whose stop condition is `i <= 40`. But username has a size of 40 bytes, after what we overflow onto `int len`. Since it allows us to overflow on `len`, we can exploit this to then overflow the `fgets()` in `set_msg()`. We're going to put a value of `0xff` in len and hope it will be enough to overflow on `eip`.
Using iterations we found the offset between `msg` and `eip` to be 200 bytes.
What we want to do here is fill the stack with 200 bytes and then put the address of our function `secret_backdoor()` in `eip`.

Here is the command:
`(python -c 'print "A"*40 + "\xff\n" + "A"*200 + "\x00\x00\x55\x55\x55\x55\x48\x8c"[::-1]"; cat) | ./level09`