42_override/level05/walkthrough
0x35c a3ea938eb1 level05: done (exploit modified to a better shellcode)
level07: walkthrough done
level08: done
level09: done
2025-05-15 14:00:44 +02:00

15 lines
1.4 KiB
Plaintext

# Level05
Using ghidra, we can decompile the code and see that it fills a buffer of 100 bytes using `fgets()`.
It will then `xor` every char from 65 to 90 in the ascii table (the upper case alphabet).
Finally, this string will be passed as the string format to `printf()` and we can exploit this by overwriting the GOT address of the end `exit()`.
First, we need to find where the buffer is printing on the stack. We can simply write `"AAAA"`, followed by a bunch of `%x` to dump the stack and find where it is. Here, it's in the 10th position.
Second, we need to get the GOT address of `exit()`. Using gdb, we get an address of `0x80497e0`.
Then, we will write our shellcode injection to an environment variable so we can print its address instead of `exit()`.
We can print this address with gdb (or using a C program, which is what we did for automation purposes).
Once we have all that, we can exploit `printf()` to put the address of our shellcode at the GOT address of `exit()`. For this, we need to split the padding for the address in 2 parts because it would take foreverto print all these bytes of padding.
We simply separate the shellcode address in an upper part (4 bytes) and a lower part (4 bytes).
For the exit address, we're gonna write 2 bytes by 2 bytes so we need to write the first part of the address to `0x80497e0` and the second part to `0x80497e0 + 2`, or `0x80497e2`.
For this one, you can copy paste the bash script in `./ressources/exploit.sh`.