15 lines
1.4 KiB
Plaintext
15 lines
1.4 KiB
Plaintext
# Level05
|
|
|
|
Using ghidra, we can decompile the code and see that it fills a buffer of 100 bytes using `fgets()`.
|
|
It will then `xor` every char from 65 to 90 in the ascii table (the upper case alphabet).
|
|
Finally, this string will be passed as the string format to `printf()` and we can exploit this by overwriting the GOT address of the end `exit()`.
|
|
First, we need to find where the buffer is printing on the stack. We can simply write `"AAAA"`, followed by a bunch of `%x` to dump the stack and find where it is. Here, it's in the 10th position.
|
|
Second, we need to get the GOT address of `exit()`. Using gdb, we get an address of `0x80497e0`.
|
|
Then, we will write our shellcode injection to an environment variable so we can print its address instead of `exit()`.
|
|
We can print this address with gdb (or using a C program, which is what we did for automation purposes).
|
|
Once we have all that, we can exploit `printf()` to put the address of our shellcode at the GOT address of `exit()`. For this, we need to split the padding for the address in 2 parts because it would take foreverto print all these bytes of padding.
|
|
We simply separate the shellcode address in an upper part (4 bytes) and a lower part (4 bytes).
|
|
For the exit address, we're gonna write 2 bytes by 2 bytes so we need to write the first part of the address to `0x80497e0` and the second part to `0x80497e0 + 2`, or `0x80497e2`.
|
|
|
|
For this one, you can copy paste the bash script in `./ressources/exploit.sh`.
|