starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level2 done

Browse Source
This commit is contained in:
0x35c
2025-04-28 17:09:58 +02:00
parent 9e787cb6b9
commit 291c839668
4 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
level2/walkthrough Normal file
View File

@ -0,0 +1,13 @@
# Level2
Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
Then, it will check if the return address hasn't been overwritten to and thus prevent us to exploit this vulnerability...
Since it calls `strdup` at the end of the program, we can insert a piece of code executing a linux shell through asm instructions. This will be copied to the heap, and since the ASLR is disabled, the address of where `strdup` will copy the content of the buffer will always be the same (we can find it using `ltrace ./binary`).
For the payload, everything is explained here (thanks cocomelonc UwU):
https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html
We can then execute this command (similar to the previous one):
`(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2`
Where we copy our linux shell code to the heap, then fill the buffer until after `eip`.
Finally, we can insert the address where our code has been copied so it will be executed when the `return` instruction is called.